Stop & Shop reports credit data was stolen

February 19, 2007

Boston Globe

http://www.boston.com/business/globe/articles/2007/02/19/stop__shop_reports_credit_data_was_stolen/



With help from US Secret Service agents, Stop & Shop Supermarket Cos. executives scrambled yesterday to determine how many consumers may have had their credit and debit card data stolen by high-tech thieves who apparently broke into checkout-line card readers and planted the equivalent of bugs to steal information.

Stop & Shop said customer information, including personal identification codes for cards, was confirmed stolen from supermarkets in Coventry and Cranston, R.I. The company said it had found evidence that card readers were tampered with in a similar way at four other stores in Seekonk and in Bristol, Providence, and Warwick, R.I. But the supermarket company said it had no reports of illegal transactions on cards that had been used at those stores.

After being notified by a bank last week that its Coventry and Cranston stores appeared to be the common link to a number of stolen card numbers, Quincy-based Stop & Shop has bolted down card readers at all 385 of its supermarkets in New England, New York, and New Jersey, company spokesman Robert Keane said yesterday.

"They would not now be able to tamper with the units the way they did before," Keane said. He declined to reveal details of how the scam worked, other than to say it involved card readers being removed, tampered with, and reinstalled. "Our investigation has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering," Keane said.

Several shoppers interviewed yesterday at the Seekonk Stop & Shop said they were astonished that they now had to worry about another way identity thieves could steal their credit card data.

"They need to upgrade their security or whatever, because something's wrong," said Matt Tucker of East Providence.

The Stop & Shop case will serve as a warning to retailers that they must get vigilant about securing, protecting, and inspecting scanners for evidence of tampering. The devices are often called PIN pads because they are used for consumers to enter their personal identification number when charging a purchase on a card.

In law enforcement's never-ending battle against identity theft, the use of sophisticated technology to grab credit card data from scanners "is definitely becoming more common," said Judith M. Leary, president of Identity Force, a Framingham data security company whose customers include the federal General Services Administration.

Leary said there are no reliable statistics on how often thieves infiltrate card readers, but she said she knows of a number of cases of stores, as well as bank teller machines, being tampered with.

Yesterday, other retailers were taking note.

"Shaw's takes careful precautions in protecting the personal information of our customers," Judy Chong , a spokeswoman for Shaw's Supermarkets Inc. of East Bridgewater, another major New England supermarket chain, said in an e-mail. "We consistently review our methods, processes, and technology in our ongoing efforts to protect our customers' private information."

Leary said the initial reports suggest the Stop & Shop situation is unlikely to represent the kind of security breach that was revealed in January at TJX Cos. of Framingham, parent company of Marshall's, TJ Maxx, and other stores. In that case, thieves broke into a computer database, potentially as early as 2003, and stole credit card numbers by the millions to make illegal purchases from Florida to Hong Kong.

Based on what has been reported so far, Leary said, the Stop & Shop approach would yield only a few credit card numbers per hour as consumers rang up sales at the checkout lines -- one each in Coventry and Cranston, according to the company -- where devices had been tampered with.

"Do I think it's the magnitude of a TJX situation? No," Leary said. "But for each individual who's had their personal information compromised, it doesn't matter. It's still such a nightmare to get the problems resolved."

Normally banks and credit card companies do not hold consumers responsible for fraudulent charges clearly made by identity thieves, but it can take victims hours to get new cards and get their credit reports cleared up.

Customers who used credit or debit cards at the six Stop & Shop stores were being advised by the company to check their bank and credit card statements carefully for suspicious transactions. Keane said card numbers used by customers at the Coventry and Cranston stores "in early February" were stolen. But until the investigation is complete, Keane said, he could not say for how long before that, if at all, numbers may have been stolen.

Police in Cranston and Coventry said detectives investing the case were not available to comment. An aide to the Secret Service's Boston special agent in charge, Steven Ricciardi , said Ricciardi was not available yesterday. The service, part of the Treasury Department, leads many government credit-card-fraud probes.

Inside the Seekonk Stop & Shop , store employees pointed out newly installed bolts on the mounts for the pin pads, intended to thwart anyone from sliding the card readers off the mount to get at the underside of the device or the wires that connect it to the cash register.

But at least one shopper was blasé. Al Mendes of Seekonk, who had just finished shopping yesterday afternoon and charged his purchases on his credit card, said he would not worry if his number got stolen.

"The credit card company eats it," Mendes said. "Not me."


main page ATTRITION feedback