Cyber Incident Victim: Natural Grocers
Date:
Dec 2014
Location:
United States of America
Summary
A cybersecurity incident at Natural Grocers involved unauthorized access to customer payment card data through compromised point-of-sale systems, following an intrusion exploiting database server vulnerabilities that enabled lateral network movement. While financial institutions identified fraud patterns linked to stolen cards, the company stated it received no fraud reports and confirmed no personal information, PINs, or card verification codes were accessed due to its payment processing practices. The retailer engaged forensic experts and law enforcement, accelerating upgrades to PCI-compliant point-of-sale systems with point-to-point encryption and chip-and-PIN capabilities across all locations to enhance data protection during the ongoing investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2015, financial industry sources alerted KrebsOnSecurity to a pattern of credit and debit card fraud traced to transactions at Natural Grocers locations nationwide, prompting an investigation by the Colorado-based grocery chain. Natural Grocers confirmed it had engaged a third-party forensics firm and involved law enforcement to examine a potential unauthorized intrusion targeting limited customer payment card data. The company stated it had not received any reports of fraudulent card use from customers, card brands, or financial institutions at the time of its announcement. According to a source familiar with the breach, attackers exploited vulnerabilities in the company’s database servers shortly before Christmas 2014, gaining access to the internal network. The intruders then moved laterally to install card-snooping malware on point-of-sale (POS) systems designed to harvest payment card data during transactions. Natural Grocers emphasized that no PINs, card verification codes, or personally identifiable information like names or addresses were compromised, as the retailer did not collect such data through its payment processing systems.
The breach impacted Natural Grocers’ 93 stores across 15 states, though the company maintained no conclusive evidence of data misuse despite banking sources reporting stolen cards being sold in cybercrime forums. In response, the grocer accelerated plans to replace all POS systems with PCI-compliant terminals featuring point-to-point encryption and upgraded PIN pads compatible with chip-and-PIN card technology. This upgrade aimed to add multiple layers of protection for cardholder data during processing. The company reiterated its commitment to data security but declined to provide further details while the forensic investigation remained ongoing. No customer notification initiatives or regulatory filings were disclosed in the available statement. The incident highlighted tensions between financial institutions’ fraud pattern analysis and corporate breach disclosures, as Natural Grocers’ public stance contrasted with banking sector reports of active card trafficking tied to the intrusion.