Ahold Delhaize USA’s Stop & Shop and Giant Food supermarket chains have reported potential data breaches at six stores from illegal skimming devices.
Stop & Shop said Friday that “shimmer” devices — a thin device typically positioned between the chip and the chip reader, to capture data from the chip were recently identified as part of routine security scans at three stores in New Jersey, one in Connecticut and one in Massachusetts. Earlier in the week, on May 12, Landover, Md.-based Giant said it discovered a skimming device at a store in Washington, D.C.
Shimmers were found at one self-checkout lane in each of the six stores, according to Stop & Shop and Giant. All of the devices have been removed, and both chains have notified law enforcement and enlisted the services of third-party forensic investigators to determine if any data had been captured.
Both retailers said there’s no evidence that transactional or customer data has been misused, and they have reviewed video surveillance to help determine how long the devices had been in place.
“We take our obligation to safeguard our customers’ personal information very seriously, and we are very sorry this may have impacted them,” Dean Wilkinson, senior vice president of operations at Stop & Shop, said in a statement. “We have taken immediate steps to increase monitoring across all registers at all stores, we’ve deployed device detection tools, and we will continue to be as vigilant as possible in order to protect our customers’ data.”
Quincy, Mass.-based Stop & Shop said customers shopping during certain periods between early February and late April may have been affected at the following stores: 404 Springfield Ave. in Berkeley Heights, N.J., from Feb. 8 to 10; 8 Franklin St. in Bloomfield, N.J., from March 28 to April 9; 1189 Broad St. in Clifton, N.J., from March 14 to April 16; 25 Old King’s Hwy. North in Darien, Conn., from April 26 to 30; 19 Temple St. in Framingham, Mass., from April 22 to 26.
Both retailers noted that they haven’t found any other skimming devices after inspecting PIN pads across all of their stores. Giant said it located the shimmer on March 5 at a self-checkout station in its store at 1345 Park Rd. NW in the District of Columbia.
“The device was installed on only one PIN pad in the store, and forensic investigation concluded that it was capable of capturing data from payment card EMV chips but not from magnetic stripes,” Giant stated. “The personal information found on the device included names, payment account numbers, and expiration dates for a limited number of customers who used that particular self-checkout terminal for a limited time period before March 5. The device was designed such that extraction of the captured payment card transaction data would require manual insertion of a reader device into the card capture device, but the data could not be accessed remotely. We have been unable to determine if any data was extracted from the device, but it is possible that data was extracted before the skimmer was discovered by Giant Food.”
Stop & Shop and Giant said they’ve notified customers of the incidents and urged them to check their payment card and financial account statements for unusual activity. Concerned shoppers, they added, also can get a free credit report at annualcreditreport.com.
Stop & Shop operates more than 400 stores in Massachusetts, Connecticut, Rhode Island, New York and New Jersey, while Giant’s store base encompasses 163 locations in Virginia, Maryland, Delaware and D.C.