back to article Supervalu supermarket stores stung by sneaky sales system scammers

Supervalu, one of the biggest supermarket chains in the US, is warning customers who shopped with them between June 22 and July 17 to check their bank statements, after investigators discovered hackers have been at work. "The safety of our customers' personal information is a top priority for us," said CEO Sam Duncan. "The …

  1. gerdesj Silver badge


    "The POS is a MS Windows system, but it only runs the POS application"

    Now substitute Piece of Shit for the abbreviation. FTFY



    1. Anonymous Coward
      Anonymous Coward

      Re: PoS

      Fool me once shame on you.

      Fool me twice shame on me.

      Fool me for a third time and expect extensive law suits to follow

    2. This post has been deleted by its author

  2. Ben Tasker Silver badge

    "This is another example of an incompetent retail CEO incapable of providing leadership and process to secure their organization. Just as the CEO must manage his staff and assets, the CEO is responsible for protecting the security of his network and his customers," said Philip Lieberman, president of security firm Lieberman Software.

    Haven't read the background (only what's in the article) but had to re-read this block because the tone is pretty harsh from the get-go.

    Don't get me wrong, I agree that holding the CEO ultimately responsible is potentially a good way to get companies to start paying proper attention to security, but I'm not sure firing him's the best way forward (unless there's some additional background I've missed, or you simply want to make an example so that other CEO's perk up).

    Some unpleasant consequences, but retention of the job (this time) would surely be the better way forward. If you're going to teach an someone a lesson, it's generally better for the business if you continue to employ them afterwards, than to kick them out and then ultimately replace them with someone who hasn't learnt that lesson first hand (though obviously it depends what they did wrong).

    Maybe I'm just feeling overgenerous this morning?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Indeed, sounds like something coming out of a ...difficult... shareholder meeting

      Maybe M. Lieberman is a shareholder?

    2. Doctor Syntax Silver badge

      unless there's some additional background I've missed

      About 2/3 of the way down it says this is the third happening they've had. One is an accident, twice is a coincidence, three times is getting to be a habit. Maybe Mr Leiberman has a point.

  3. Ross K Silver badge

    If card processing was integrated into the POS software - and the malware was able to intercept the card data - then surely the supplier of the POS software is liable?

    I was under the impression that cardholder information was supposed to be encrypted, PCI DSS compliant, and all that jazz?

  4. Anonymous Coward
    Anonymous Coward

    I prefer a Solvalou to Supervalu anyway. ;)

  5. psychonaut

    pos comapnies in the uk are no better

    one of my customers .....runs a little shop with a rented pos windows box. on the first visit about 8 months ago i was there, and i remarked on the fact it was running xp, IE6 and had avira free anti virus on it. user account was running as an admin.

    told her to get hold of them and demand an upgrade.

    she did so, and they replaced it with....another xp box (which i only found out about about 3 weeks ago - i dont see her very often). she told me that they had said that it was perfectly secure because it was "running through the windows 7 server" which it isnt, and even if it was its directly connected to her internet connection anyway. their staff browse on it for crying out loud. they just spun her a line of BS.

    i sent her an email explaining why this was completely unacceptable, and suggested she forward it on to them. they are replacing the till tomorrow.

    the old dear who runs the shop has no idea at all about computers, and can only trust what her POS supplier is telling her. they clearly dont give a monkeys about security. i wonder what the pci-dss guys would make of the fact that she is accepting cards on this kind of setup? im amazed they havent stepped in - i have to do compliance once a year for my card acceptance. maybe the POS guys do it for her, in which case, why havent they stepped in> the only answer is that the POS guys are lying to them. its pretty piss poor and im sure that this is not the only example of this kind of thing.

    1. Ross K Silver badge

      Re: pos comapnies in the uk are no better

      What pos software is she running?

    2. MyffyW Silver badge
      Paris Hilton

      Re: pos comapnies in the uk are no better

      Whilst I would encourage people to get off XP-based systems as soon as they can the XP-based POS system do "enjoy" longer support from M$:

      Windows Embedded for Point of Service V1 - extended support ends April 2016

      Windows Embedded POSReady 2009 - extended support ends April 2019

      That dull thwack you hear is retailers booting upgrades into the long grass.

  6. John Brown (no body) Silver badge


    "If money is missing the firm will provide a 12-month subscription to consumer identity protection provider AllClear ID."

    No mention of replacing missing funds due the cock up then?

    1. Anonymous Coward
      Anonymous Coward

      Re: Compo?

      That would be the responsibility of the bank/credit card company that the funds were taken from.

      The bank/credit card company might decide to try and get the money from Supervalu but it is unlikely they will either try or succeed if they did try.

  7. Sharrow

    "we have had no evidence of any misuse of any customer data"

    No evidence of harm is not evidence of no harm.

  8. Anonymous Coward
    Anonymous Coward

    Two different organisations?

    I may be wrong, but Supervalu in the US and Supervalu in Ireland are two completely different entities. The loyalty card breach last year happened to the brand SuperValu which is owned by Musgrave group in Ireland - and if I recall it was a malicious breach with the loyalty card company as opposed to the retailer.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Two different organisations?

      Sure, that's why the article says "It's not the first time the Supervalu brand has been targeted."


      1. Cian Duffy

        Re: Two different organisations?

        They're still entirely unrelated though - Supervalu in Ireland and Spain is one company and this Supervalu is an entirely different company. There are zero links between them at all.

  9. Steve Goodey

    "These include the Albertson's, Acme, Shaw's and Star Market chains."

    Wait, there really is an ACME company?

    1. diodesign (Written by Reg staff) Silver badge

      Re: "Wait, there really is an ACME company?"

      There's quite a few.


      1. Anonymous Coward
        Anonymous Coward

        Re: "Wait, there really is an ACME company?"

        Indeed. I followed an ACME lorry only last week in cheshire.

        No giant catapults or rocket roller skates on offer though.....

  10. All names Taken

    Inside job?

    The trouble that this kind of occurrence rate sort of hints that it is an inside job?

    You know: want a share of troubled unpredictable profits or do a scam and get a share of $10 million?

  11. Fatman Silver badge

    C level culpability

    "As in the Target case, the board should fire both the CEO and the senior IT management that allowed this to occur for gross negligence. Technology and processes exist to eliminate this class of problem, but the CEO chose not to or could not implement them due to lack of knowledge or will."

    You forgot the real reason: "Security costs money, and that comes out of my bonus."

  12. Winkypop Silver badge


    "The safety of our customers' personal information is a top priority for us,"

    - Just not quite as top a priority as to prevent this shit from going down.

    1. Someone Else Silver badge

      @ Winkypop -- Re: Hmmmm

      "The safety of our customers' personal information is a top priority for us,"

      I believe that the "us" in that statement refers to the PR department exclusively. I don't think the rest of the firm gives fuckall about it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019