December 17, 2015//Tori TaylorLast Updated: May 12, 2022
A major Safeway data breach, spanning back to September, hit several stores in California and Colorado. The attackers used a “skimming” scam to lift bank card and account information from Safeway shoppers. According to sources, customers impacted found their bank accounts drained. While the grocery store chain did not immediately release specifics on which stores were affected, cybersecurity investigator, Brian Krebs, was the first to report on the incident and outlined the regions that were hit.
After speaking to bank industry sources, Krebs offered details about the Safeway data breach on his blog, Krebs On Security. He writes, “…sources say the fraud was traced back to Colorado locations in Arvada, Conifer, Denver, Englewood and Lakewood. In California, banks there strongly suspect Safeway locations in Castro Valley and Menlo Park may also have been hit. Those sources say ATM fraud has been linked to customers using their debit cards at those locations since early September 2015.”
These types of “skimming” attacks require the offender to open the access to the card processing terminals and plant a device that allows them to capture card PINs. This is why this type of scam is typically seen in self-checkout lanes or payment terminals that are not easily monitored, like outside ATMs and gas stations.
Safeway spokeswoman Kris Staaf has confirmed that skimmers were found on three-point-of-sale machines. Staaf also noted that store officials will conduct a full investigation of the Safeway data breach while working with the U.S. Secret Service.
“Like all responsible business owners, our store teams routinely inspect all point-of-sale devices and discovered the three skimmers during these inspections,” Staaf said. “When our store teams find evidence of criminal activity like this, we have been able to pinpoint with surveillance video when the devices were installed and how many transactions were processed. We immediately followed the proper protocol of contacting law enforcement and the banks that service the few cards that were used on those pin pads.”
Safeway encouraged all customers to monitor their bank accounts.