Shoppers urged to check card statements after cyber attack attempt

Supervalu, Centra and Daybreak stores were targeted by criminals attempting to steal numbers and expiry dates of credit cards

Centra, Supervalu and Daybreak stores were targeted by cybercriminals. Photograph: Dara Mac Dónaill / The Irish Times
Centra, Supervalu and Daybreak stores were targeted by cybercriminals. Photograph: Dara Mac Dónaill / The Irish Times

Tens of thousands of people who have shopped in Supervalu, Centra and Daybreak stores in recent days have been warned to watch their next credit and debit card statements as a precautionary measure after an attempted cyber attack on the stores.

The supermarkets and convenience stores, as well as their parent company Musgrave, were targeted by criminals who tried to steal numbers and expiry dates of customers' cards.

Musgrave, which confirmed the attack on Tuesday, said it was engaged in an ongoing investigation with the Garda. It did not provide details of when the attack took place or how many of its customers were potentially involved.

The company said it had notified the Office of the Data Protection Commissioner of the incident. Its spokesman said it had committed to keeping the commissioner updated as its investigation progressed.

READ SOME MORE

In a statement Musgrave said it had “detected that malicious software was attempting to extract debit and credit card numbers and expiry dates, but not the cardholder name, PIN number or CCV number” of customers.

It stressed there was “no evidence that any data has been stolen”, but said it was still advising shoppers “to review activity on their statements as a precautionary measure”.

It said it was still assessing the extent of the attempted extraction by the unidentified cyber-criminals and had followed all appropriate steps.

Technical fixes

“We took preventative action and there is no evidence of extraction of data,” a spokesman said, adding that its “cyber breach response consultancy” had installed advanced technical fixes on its systems as soon as the potential breach was uncovered.

“It is important to note that once we became aware of the attempted extraction of data from our systems yesterday afternoon, we immediately took preventative action,” he said.

"We informed the Office of the Data Protection Commissioner (ODPC) this morning in line with their guidance. We are updating the ODPC as our investigation with An Garda Síochána continues."

He said that the company did not store card data on its servers, which suggests the breach involved the criminals potentially intercepting customers’ sensitive financial data in real time.

The spokesman said it had communicated with customers “in order to provide reassurance and to advise them to review activity on their statements as a precautionary measure”.

Cybercriminals

The threat by cybercriminals targeting businesses is on the increase across Europe. Ransomware attacks have gone up by 300 per cent since 2015 and the economic impact of cybercrime is estimated to have risen five-fold between 2013 and 2017 and is set to rise another four-fold by 2019.

Ransomware works by encrypting files on infected computers and demanding a sum be paid in exchange for a password, which allows the owner to regain access to their data.

While there is no evidence any of Musgrave’s customers’ cards having been compromised, credit and debit card fraud is a growing problem.

In 2015, card fraud in the Republic was estimated to amount to about €29.6 million. Some 70 per cent of these purchases – worth almost €21 million – were carried out through “card not present” fraud by online or telephone purchasers.

In the first half of last year €20.8 million was lost through card fraud in Ireland. Some 78 per cent of this fraud was through “card not present” incidents.

Conor Pope

Conor Pope

Conor Pope is Consumer Affairs Correspondent, Pricewatch Editor