The recent discovery of payment-terminal tampering at 24 outlets of California’s Lucky Supermarkets chain is raising fresh questions about the possible role of insiders in such highly coordinated crimes.
Hundreds of customers reportedly experienced losses associated with the breach, which a Lucky store employee discovered Nov. 11 after noticed irregularities in a self-checkout lane payment terminal.
A store audit revealed that criminals had planted card-skimming devices in the payment terminals of self-checkout lanes in two-dozen stores in the San Francisco Bay area. The company said law enforcement suspects the criminals used wireless technology to extract card data from the planted devices.
Earlier this year, Michaels Stores Inc. outlets in 20 states experienced an eerily similar attack on their debit card PIN pads (
Modesto, Calif.-based Save Mart Supermarkets, which owns Lucky and several other store chains, on Nov. 23 warned customers on its website of the tampering incident and said their card data may have been exposed.
The company immediately began inspecting or replacing 2,557 payment terminals in its 233 stores in California and Nevada, the company said in a Dec. 20 press release.
The attack compromised "less than 1,000" customers’ card accounts, Save Mart said in a statement on its website.
Lucky has released all transaction data from the compromised terminals to financial institutions “so that they will be able to identify affected consumers and protect consumers’ accounts from unauthorized transactions,” the company said in its release.
That the attack centered only on payment terminals in self-checkout lanes, not staffed lanes, is probably “not very significant,” Julie Conroy McNelley, a senior analyst with Aite Group specializing in payment fraud, tells PaymentsSource.
“A self-checkout lane is marginally easier to tamper with because a staff member is not standing there and it might have less scrutiny than a regular checkout lane, but it doesn’t necessarily mean self-checkout terminals are at greater risk of terminal-tampering crimes,” she says.
Of greater interest is the precision and coordination of the attack, which suggests more than one person was involved and increases the likelihood the criminals received help from an insider at the company, McNelley says.
“That level of coordination–tampering with terminals in the same timeframe across all those stores–suggests a highly coordinated, organized effort in stores that are highly trafficked at most hours of the day,” she says.
Certainly a lone criminal or group could have pulled off the caper. But McNelley has her doubts.
“Given the high traffic in these stores, the element of insider help is definitely a factor to consider,” McNelley says.
In a statement on its website, Save Mart said it has "no reason to believe" its employees were involved in the attack.
Save Mart is working with the U.S. Secret Service to investigate the crimes, the company said in a press release. A Save Mart executive was unavailable to provide further details.
The Michael’s attack involved tampering in dozens of terminals in its stores across the U.S. in a single period of time last spring. About 100 customers reported losses to their bank accounts in the Michaels breach (
The Irving, Texas-based merchant ultimately removed or replaced approximately 7,200 payment terminals in its stores in the U.S. and Canada, but it never explained how criminals managed to penetrate its payment equipment.
The San Jose Mercury News on Dec. 7 reported that Lucky deployed VeriFone-brand payment terminals at the time of the tampering incident.
Michaels also deployed VeriFone-brand payment terminals at the time of its attack. Michaels executives declined to comment on the type of payment terminals involved in its breach.
What do you think about this? Send us your feedback.
