Possible data breach at ACME stores in Pa, NJ, Del.

Tuesday, September 30, 2014
VIDEO: ACME security breach
ACME is telling its customers to be aware of a possible data breach.

PHILADELPHIA -- Card data of ACME shoppers may be at risk after another hack, the supermarket's owner said.

Albertsons, which owns ACME Markets, and Supervalu made the announcement Monday.

The breach could affect ACME Markets stores in Delaware, Maryland, New Jersey and Pennsylvania.

The company said that in late August or early September, malicious software was installed on networks that process credit and debit card transactions at some of their stores.

"Based on the information we currently know, it is not believed that any customer data was stolen. However, out of an abundance of caution, if you used your credit or debit card in a potentially affected store between June 22, 2014 and July 17, 2014 or between August 27, 2014 and September 21, 2014, you should monitor your credit and debit card account and promptly contact the bank that issued your payment card if you see suspicious activity. Stores in the following states were potentially affected: Delaware, Maryland, New Jersey, and Pennsylvania," ACME said in a FAQ statement on their website.

According to ACME, the possible stolen data includes names, account numbers, expiration dates or other numerical information.

"Importantly, sensitive information (like Social security numbers, birthdates or driver's license information), and other personal information were not affected, because that information is not collected as part of the payment process," the store said.

ACME says they will provide complimentary identity protection to affected customers for one year.

"This coverage includes automatic protection with AllClear Secure for the next 12 months - there is no action required on your part to receive or enroll in this service. If a problem arises, simply call 1-855-865-4449," ACME said.

Along with ACME Markets, the breach could affect Albertsons stores in California, Idaho, Montana, Nevada, North Dakota, Oregon, Utah, Washington and Wyoming; Jewel-Osco stores in Illinois, Indiana and Iowa; and Shaw's and Star Markets stores in Maine, Massachusetts, New Hampshire, Rhode Island and Vermont. The Boise, Idaho-based company has a total of 1,081 stores.

Supervalu Inc. said it believes the malware was only able to capture card data from some checkout lanes at four Cub Foods locations in Minnesota because it had not finished making security improvements at those stores. The company thinks it has gotten rid of the malware.

The malware was also installed on a network that processes card transactions at Shop 'n Save and Shoppers Food & Pharmacy stores as well as some stand-alone liquor stores, but the company, which has 3,320 stores, thinks the malware did not capture payment card data from any stores except possibly for the four in Minnesota.

Supervalu sold the Albertsons, Acme, Jewel-Osco, Shaw's and Star Market chains to Cerberus Capital Management in 2013, but it still provides information technology services for those stores.

The companies also disclosed a data breach in August. They said the two incidents are separate. Supervalu said that incident may have affected as many as 200 grocery and liquor stores. It said hackers accessed a network that processes Supervalu transactions, with account numbers, expiration dates, card holder names and other information.

That breach occurred between June 22 and July 17, and Supervalu said it immediately began working to secure that portion of its network. The companies said Monday that they are still investigating that incident and don't know if cardholder data was taken.

The latest breach follows big hacks that affected millions of customers at Home Depot, Target and other retailers over the past year.

ONLINE: ACME Markets FAQ