Back in May, I blogged about the Michaels Arts & Craft Store company discovering that 90 PIN pads in 80 of their stores in 20 US states had been tampered with, allowing skimmers to steal the credit and debit cards numbers of an unknown number of customers. The company eventually decided to replace all 7,200 PIN pads at its hundreds of US stores, "Out of an abundance of caution, " it stated. As of today, the thieves have still not been caught although some have seemed to have been identified, at least in Oregon.
Well, what looks to be a novel skimming approach that was first disclosed in late November by the Lucky Supermarket chain operating in the Northern California region apparently was worse than first thought. On the 23rd of November, Lucky - which has 234 stores - sent out a press notice stating:
"In the course of regular store maintenance, we discovered our credit/debit card readers at the self-check lanes ONLY in 20 stores ... had been tampered with. Steps were taken immediately to remove the tampered card readers in the affected stores, as well as enhance security to every credit/debit card reader in all 234 stores in our company. We are not aware nor have we been notified of any reports that customer accounts were compromised."
The company's news release didn't garner much press attention at the time, most likely because of the statement that no customers seemed to have been affected as well as because the statement came out the day before the Thanksgiving Day holiday began. However, what the press release didn't say and what would have likely raised eyebrows was that the store found what appeared to be an extra computer board secretly inserted inside the stores' self-checkout machines and that it was capable of recording customer transactions and transmitting them wirelessly to thieves sitting in nearby parking lots, this Press Democrat article reported. The skimming device didn't stand out as being out of place, the service tech who found it indicated.
I haven't heard of this type of embedded skimming technology being used against store self-check out machines before. If someone has, I would be interested in a reference to the incident(s).
The story remained mostly under the press radar until Monday,when Lucky released a new press release stating that:
"Since our Consumer Advisory on November 23, we have had the full support and engagement of local, state, and federal authorities as well as financial institutions and card processors. This week we anticipate learning from these authorities the start and ending dates of our credit/debit card reader tampering. The end of last week, we received notification of a number of employee and customer account breaches and are in the process of confirming if they were a result of activity through our self-checkout terminals."
"At this time, we strongly recommend that anyone who used our self-checkout terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one. Authorities have told us that attempts to steal account information are most likely to occur over the weekend when most financial institutions are closed or have limited hours."
A story in the Marin Independent Journal also reported that self-checkouts at now 23 Lucky Supermarket were found to be tampered with, and that the company had identified some 80 employee and customer bank accounts that apparently had been compromised.
Monday's press release and subsequent news coverage of it unleashed a flood of Lucky customers who said their accounts were possibly also compromised. For instance, according to the Mercury News on Tuesday, Lucky received over 1,000 calls after the story hit the press from customers saying that they might have been victims of the skimming. At least one credit union decided to issue 4,000 new debit cards to its customers because of the incident, the Marin Independent Journal also reported.
And according to a Mercury News story from yesterday, a Lucky representative postulated that "... the tampering could have been performed by someone pretending to be using the checkout machines to buy groceries."
That seems a bit far-fetched as explanations go. I think someone in one of the 20 plus Lucky stores would have noticed a "shopper" opening up a self-checkout machine and playing around with its innards. The tampering also seems to indicate a high-level of familiarity with the type of self-checkout machine being used by Lucky stores.
In a FAQ news release yesterday, one of the questions posed was, "Were your own employees involved?" The store chain replied that, "At this point, we have no reason to believe that our employees were involved."
The FAQ press release also went on to say that now 24 stores were in fact affected, and that:
"Local, state, and federal authorities continue investigating. Currently, all the tampered card readers have been sent to the Secret Service for evaluation. We hope to know soon the time frame that the credit/debit card readers contained an illegal skimming device. This is an ongoing criminal investigation and we are closely following law enforcement instructions on what information can be released that will not compromise their investigation."
The FAQ went on to state that:
"We also know that only ONE self-checkout credit/debit card reader in EACH of the 24 stores was compromised."
Yesterday's Mercury News report says that "... 1,500 people have called the company's customer service hot line, and 300 of them have reported their cards had been accessed or that an attempt had been made to access them." I expect the number will continue to grow over time, and can a lawsuit be far behind?
Readers also told the Mercury News that "... they'd recently been victims of card skimming after shopping at [San Jose] area Safeway and 7-Eleven stores." I suspect the local California press will be digging into these claims shortly.
I'll update this post as new information becomes available.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.