Spokane’s URM Stores on Thursday announced that it is close to concluding an investigation of a credit card security breach last fall, and listed nearly 70 stores where transactions were exposed to card fraud.
The company, a distributor that serves more than 300 grocery stores in the region, did not say whether it has identified the source of the network breach. The FBI and the Secret Service are also investigating but have made no comments about the cyber attack.
URM Stores also serves as the card transaction aggregator for the stores it serves.
Starting Sept. 1, card data from 67 stores in Washington, Idaho, Oregon and Montana were exposed by the breach.
The exposure continued until Nov. 24, according to a URM Stores press release.
URM first identified the breach on Nov. 25, after several area credit unions began contacting the co-op, reporting an apparent link between fraud reports and cards’ regular use at area grocery stores.
URM at the time added new security measures to prevent a similar breach in the future, company CEO Ray Sprinkle said.
The release noted the hackers could have had access to “track 2” data, which includes card number, expiration date and card verification or security number.
“For a small number of transactions the attacker may have had access to ‘track 1’ data, which contains the same data as track 2 plus the cardholder’s name,” the release said.
URM cannot identify the specific cards that were exposed, the release also said.
It added: “We will be sending a letter or email to a small group of individuals where we believe track 1 data from their card was at risk and a member store could match the cardholder’s name to a mailing or email address on file.”
No phone numbers or Social Security numbers were at risk, the release said.
The stores exposed during the breach were: Yoke’s Fresh Market, Super 1 Foods, Harvest Foods and Stein’s Market. The list notably excluded Rosauers stores, Trading Co. locations and Centerplace Market. Those chains were originally considered on the list of stores that were exposed.
Many area banks and credit unions have borne the cost of replacing URM customers’ debit and credit cards. Many are also on the hook for thousands of dollars in credit card fraud involving illegal purchases made across the country with hacked card numbers.
The company also urged any cardholder who shopped at stores served by URM Stores to regularly review their card statements.
Ray Sprinkle’s name was corrected in later versions of this story.