In mid-August, spokesmen for the SuperValu chain of grocery and/or liquor stores announced that, due to a previously unannounced security breach, hackers had had access to the company's customer payment-card database between June 22 and July 17, though the company did not inform anybody of this until August 14.
That security breach from last summer is not to be confused with the most recent security breach announced this week, a breach which apparently appeared shortly after Albertson's et al fixed the damage from the last security breach. On Monday, Albertson's released a statement saying:
The Company has been informed that different malware was used in this recently discovered incident than was used in the incident previously announced on August 14, 2014. The investigations into both this incident and the earlier incident are ongoing.
AB Acquisition promptly notified federal law enforcement authorities of this separate criminal incident, which apparently occurred in late August or early September 2014 …. The new malware may have captured account numbers, expiration date, other numerical information and/or the cardholder’s name.
The statement goes on to say that the problem does not affect every store in the chain, only those stores which used a particular “point of sale system,” or third-party payment processor:
Because the point of sale systems are different across AB Acquisition divisions, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and our two Super Saver Foods Stores in Northern Utah were not impacted by this incident. However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were affected by this new incident.
If you keep up with customer-database hacking news, you've surely noticed how often the hackers succeed not by successfully attacking the company's own database, but by compromising a third-party point of sale system. Just last week, point-of-sale systems provider Signature Systems admitted that hackers cracked their security and accessed customer data from the Jimmy John's sandwich chain and at least 108 different independently owned businesses (mostly restaurants).
So far, there's no indication who made the particular point-of-sale system compromised in this most recent Albertson's security breach, but if you bought anything with a payment card at the affected stores within the past month, you'll probably need to get new cards issued again.