Fans of “natural” foods take note: it looks like hackers have managed to plant malware on the cash registers at various Natural Grocers locations throughout the country.
Security blogger Brian Krebs reports that, according to his financial-industry sources, the hackers first managed to breach Natural Grocers' internal security shortly before last Christmas, eventually putting card-reading malware programs on various point-of-sale systems in the company. (In other words: the hackers did not access any databases of stored information, but did manage to lift at least some information from cash-register transactions as they occurred.)
However, spokespeople for Natural Grocers have said that the company is investigating “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data,” although the company said in a statement that it:
… has received no reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution. In addition, there is no evidence that PIN numbers or card verification codes were accessed. Finally, no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system.
Already on sale
It's possible that various card issuers have not yet formally reported this suspected fraud to Natural Grocers, though Krebs says that “banking sources have told this author about a pattern of card fraud indicating cards stolen from the retailer are already on sale in the cybercrime underground.”
Most likely, this means that a large batch of stolen card numbers recently went on sale, and the banking investigators in charge of figuring out where and how those card numbers were stolen realized they all shared one trait in common: at some point in the past two months or so, every single stolen card had been used to pay for something at Natural Grocers.
If you've shopped at Natural Grocers since last December and paid with a credit or debit card, contact your card issuer and take the usual precautions required to protect yourself a possibly compromised card.