Scores of employees and customers of a supermarket chain have had their account information compromised after thieves tampered with debit and credit card readers in self-checkout lines in Northern California.
Lucky Supermarkets, which disclosed the breach Monday, said some 300 customers were affected at 23 of its San Francisco Bay Area stores, and some had money stolen from their accounts.
Lucky Supermarkets is part of Modesto-based Save Mart Supermarkets, which operates more than 233 stores in Northern California and Northern Nevada.
Police in Petaluma said at least 57 people reported money being stolen from their bank accounts after using a self-checkout line and using VeriFone card readers. The average loss appeared to be about $500, and the money was withdrawn throughout California, including in the San Francisco, Santa Barbara and Northridge areas, and Reno, Nev., police said.
Alicia Rockwell, a spokeswoman for Lucky Supermarkets, said 1,500 inquiries had come into the company's call center as of Tuesday. She said of those, about 300 customers were claiming that they either had some unauthorized activity on their credit or debit cards, or some attempt of unauthorized activity.
Stephen Ackerman, chief financial officer of Save Mart, said the U.S. Secret Service Electronic Crimes Task Force is investigating the clandestine data "sniffers" attached to the card readers.
"All the devices are now down in Tulsa, Okla., at the Secret Service lab, (where they're) trying to read the data on the chips," Ackerman said. "The VeriFone people said it was the most sophisticated device they've ever seen so far as a sniffer."
VeriFone said it would not comment on the case. The Secret Service did not return calls.
Criminals typically have to steal the card readers to get the data, but in this case, the masterminds were retrieving data through a Bluetooth device, Ackerman said.
"There are several hundred thousands of these units in the United States, probably the world; and now they're all vulnerable," he said.
Ackerman said suspicions first emerged Nov. 11, when an employee performing routine maintenance discovered a suspicious card reader, prompting a sweep of all of Lucky Supermarkets stores.
Rockwell said one reader at each store was affected.
The company does not know how far back the data theft goes. But it is advising customers who used a self-checkout lane in October or November to close their accounts. The VeriFone units were installed in 2007.
"It's very easy nowadays for people to steal your identity," John Lee, who was shopping Tuesday at the Lucky's store on Blossom Hill Road in San Jose, told the San Jose Mercury News. The 60-year-old engineer said he'd heard about the hacking on the TV news and had brought cash to the checkout counter.
"I'm scared they're going to steal my money," he said.