Cyber Incident Victim: SuperValu
Date:
Jun 2014
Location:
United States of America
Summary
A major supermarket parent company experienced a network intrusion potentially compromising customer credit card data across 180 affiliated grocery stores in multiple states. The breach, suspected to target point-of-sale systems, prompted precautionary notifications despite no confirmed data theft or evidence of misuse. Impacted locations spanned several regional chains, with stolen payment card information potentially appearing for sale in underground markets where such data commands significant prices. The intrusion was reportedly contained, and customers were advised their cards remained safe to use.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2014, SuperValu Inc., a Minnesota-based grocery retailer operating chains including Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save, and Shoppers Food and Pharmacy, disclosed a cybersecurity incident involving unauthorized access to its network. The company announced on August 15, 2014, that 180 of its stores across North Carolina, Maryland, Virginia, Illinois, Missouri, North Dakota, and Minnesota had been affected by a network intrusion. SuperValu stated it had not yet confirmed the theft of any customer credit card data but issued the notification as a precautionary measure. The breach occurred over an unspecified period, during which attackers potentially accessed payment card information from point-of-sale systems. Concurrently, AB Acquisition LLC, parent company of Albertsons and Jewel-Osco supermarkets, reported similar breaches affecting stores in multiple states, though no direct connection between the two incidents was confirmed. Both companies emphasized they had no evidence of actual misuse of customer data at the time of disclosure.
The intrusion was suspected by cybersecurity experts to have targeted point-of-sale systems, mirroring tactics observed in other retail breaches during that period. SuperValu asserted it had contained the breach and implemented enhanced security measures, advising customers they could safely resume using payment cards at its stores. The company did not specify the exact number of potentially compromised cards but acknowledged stolen data could surface on underground markets, where such information historically sold for $20 to over $100 per card. No forensic evidence confirmed data exfiltration, but the disclosure aligned with industry practices following point-of-sale compromises. SuperValu and AB Acquisition LLC coordinated their announcements, reflecting the broad geographic scope impacting shoppers nationwide. Neither entity provided details about the intrusion’s origin, duration, or specific attacker methodologies beyond confirming unauthorized network access. The incident underscored operational risks for retailers reliant on centralized payment processing systems during a period of heightened cybercriminal activity targeting consumer financial data.