Customers who used the self-checkout lanes at Lucky Supermarkets have been hacked. The grocer, which operates stores in California, says some of their credit card machines have been altered with sniffers to capture credit and debit card numbers. Lucky, owned by parent company Save Mart, is telling customers who used those machines to close their bank and credit card accounts. At least 80 at-risk accounts have been identified and the supermarket chain has gotten calls from more than 500 customers who fear they are victims of fraud.
Card-skimming scams have been reported at gas stations and ATMs and retail chain stores. But this appears to be a first widespread attack at a supermarket checkout lane.
A key question remains how criminals could have attached these devices at multiple Lucky locations without anyone noticing. Lucky says at least 24 Bay area stores have been affected.
According to a report in the San Jose Mercury News, Save Mart’s CFO doesn’t think it’s an inside job, saying “It’s pretty well-understood technology. If a bad guy really wanted to go do this, they could probably go online and educate themselves at Google.”
Lucky first got suspicious on November 11th, when an employee doing maintenance noticed something that didn’t look right. They discovered an extra computer board inside the checkout machine recording customer info. Lucky says it warned customers on November 23rd, but it wasn’t aware of any cases of fraud at the time.
The checkout card readers were made by VeriFone, which confirmed there was a problem. The Lucky spokesman told the Mercury News “it was a very sophisticated device that they’d never seen before.” In addition to making credit card readers, VeriFone has a partnership with Google for NFC-based mobile payments.
Save Mart operates 233 stores in Northern California and Nevada under the names Save Mart, S-Mart Foods, Lucky and FoodMaxx brands. Lucky has posted a list of stores affected and information for consumers on their website.