Spokane’s URM Stores on Thursday announced that the company is close to finishing an investigation of a credit card security breach last fall, and listed nearly 70 stores where transactions were exposed to card fraud.
The company, a co-op food distributor and payment processor serving more than 300 grocery stores in the region, did not say whether it has identified the source of the network breach. The FBI and the Secret Service continue to investigate but have made no statements about the incident.
Starting Sept. 1, card data from 67 stores in Washington, Idaho, Oregon and Montana was exposed by the breach.
The exposure continued until Nov. 24, according to a URM Stores press release.
URM first identified the existence of the breach on Nov. 25, after several area credit unions began contacting the co-op, reporting an apparent link between fraud reports and cards’ regular use at area grocery stores.
URM at the time added new security measures to prevent a similar breach in the future, company CEO Ray Sprinkle said.
The release noted the hackers could have had access to “track 2” data, which includes card number, expiration date and card verification or security number.
“For a small number of transactions the attacker may have had access to ‘track 1’ data, which contains the same data as track 2 plus the cardholder’s name,” the release said.
URM cannot identify the specific cards that were exposed, the release also said. The release also noted that URM Stores discovered the attack was similar to other breaches reported by grocery networks.
“We will be sending a letter or email to a small group of individuals where we believe track 1 data from their card was at risk and a member store could match the cardholder’s name to a mailing or email address on file,” the release said.
No phone numbers or Social Security numbers were at risk, it added.
The stores exposed during the breach included: Yoke’s Fresh Market, Super 1 Foods, Harvest Foods and Stein’s Market. The list notably excluded all Rosauers, Trading Co. and CenterPlace Market stores, which were originally considered among the chains exposed.
Many area banks and credit unions have borne the cost of replacing URM customers’ debit and credit cards. Many are also on the hook for thousands of dollars in credit card fraud involving illegal purchases made across the country with hacked card numbers.
The company also urged any cardholder who shopped at stores served by URM Stores to regularly review their card statements.
Subscribe to the Morning Review newsletter
Get the day’s top headlines delivered to your inbox every morning by subscribing to our newsletter