Supervalu, one of the largest grocery chains in the US, with both company-owned and franchised locations, has fallen victim to a cyberattack, the company announced Friday.
Malicious hackers targeted the part of Supervalu's network that handles credit card transactions and may have stolen credit card information, including expiration dates, actual card numbers, and, potentially, cardholders' names. The grocery chain said on Friday that it has yet to confirm that the data was actually stolen, but it can confirm the intrusion and that the information could have technically been accessible.
"The Company has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution," Supervalu said in a statement on Friday.
A related data breach affected stores that were previously owned by Supervalu, including Albertsons, Acme Markets, Jewel-Osco, and Shaw's. (AB Acquisition is the holding company that now operates those stores across the country.) Supervalu provides IT services to those stores in more than 20 states.
Supervalu generates annual sales of approximately $17 billion. The company has a network of 3,320 stores across the country, made up of franchises, company-owned retail outlets, and Save-A-Lot stores. However, only about 200 stores have so far been identified (PDF) as affected, according to the company. It believes that no Save-A-Lot stores or independent locations have been affected.
Supervalu's announcement is just the latest black eye on the corporate world as it tries -- seemingly without any effect -- to combat malicious hackers who are actively targeting customer information. Last year, Target was the subject of a massive cyberattack that left open the personal information of as many as 110 million customers. Target plugged the hole and subsequently offered customers a full year of a credit-monitoring service.
Supervalu believes that its network was at risk between June 22 and July 17. The company said that it closed the hole in the network after discovering it and hired third-party data forensics experts to see what could have been stolen. That investigation is ongoing.
"The Company currently has no reason to believe that additional information beyond that described above may have been stolen by the intruder," the company said in a statement. "However, given the continuing nature of the investigation, it is possible that time frames, locations and/or at-risk data in addition to those described above will be identified in the future."
In an e-mailed statement to CNET, Supervalu spokesperson Jeff Swanson said that the company "believes that the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores."
Albertsons provided much of the same information as Supervalu, saying that its customers could have been at risk between June 22 and July 17 and it's not clear whether any information has been stolen. The company believes at this time that not all of its stores were affected, but rather a subset in certain markets across the country.
"As soon as we were notified of the incident, we began working closely with Supervalu to determine what happened," Albertsons CIO Mark Bates said in a statement on Friday. "It's important to note that there is no evidence at this point that consumer data has been misused."
It's not clear from the Albertsons statement how many of its stores were affected, but the investigation into the matter is ongoing. More information from both Albertsons and Supervalu is expected to be shared in the coming days.
CNET has contacted Albertsons for comment. We will update this story when we have more information.