Lakewood, Colorado, based Natural Grocers by Vitamin Cottage Inc. is currently tracing a security breach of data containing customer credit card information. The company has hired a third-party data forensics firm to help find the source of the intrusion, and law enforcement is also investigating the incident.
The grocery chain, whose 93 stores are located in 15 states, said they have received no alerts of credit card fraud, either from customers or financial institutions, said Computer Weekly. According to a formal company statement, "no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system."
Investigative reporter Brian Krebs, author of Krebs on Security, stated that he received information from banking sources suggesting the sale of the stolen credit card data is already underway. Citing a source with inside knowledge, he said hackers targeted vulnerabilities in the grocery chain's database servers and breached the system a short time before Christmas 2014. Moving through the internal network, the culprits hid data-mining malware on point-of-sale systems.
As the investigation continues, Natural Grocers is expediting an upgrade of every store's POS system, in order to comply with the Payment Card Industry Data Security Standard, which formalizes rules regarding the transmission and safe storage of credit card data.
Point-to-point encryption will be included in Natural Grocers' new POS system, which will also be able to accept the more secure chip and PIN cards, which use an embedded computer chip in lieu of a magnetic strip, in line with the global standard for preventing credit card fraud. Chip and PIN is also known as the Europay, MasterCard and Visa (EMV) standard.
While adopting a more secure standard is a step in the right direction, the impact of the breach could have been mitigated had it been caught at the outset with big data security analytics.
Cybersecurity news and analysis brought to you by ArcticWolf, inventors of firebreak detection and response security services. FireBreak, when your firewall fails.