FBI investigating cyber attack on Bashas' customersPosted: Updated:
An Arizona-based supermarket chain says it's been victimized by a cyber attack on the stores' online systems, which provided criminals with access to customer payment information.
Bashas' officials said they recently located and removed a highly sophisticated piece of malware from its systems.
The FBI is investigating. Officials believe there could be hundreds of victims.
Customers are being warned to check their credit card and debit card transactions.
Pinal County Sheriff Paul Babeu says his office has fielded over 400 cases of credit card fraud in regards to this case. Bashas' spokesperson Kristy Jozwiak said the company learned about the malware less than a week ago, but Babeu said the company has known since June or July and has been working with authorities since September.
"We know that (Federal agents have) been working with (Bashas') as far back as September. So the fact that this is being put out that this is something brand new as of today I know for a fact that is false," said Babeu.
In a phone interview with CBS 5, Jozwiak said the Pinal County sheriff is incorrect.
"I can tell you with 100 percent confidence that Bashas', AJs or Food City did not know about this in June or July of last year. That's absolutely false," she said.
Bashas' officials said they've installed additional security measures to protect customers' personal information from attacks in the future.
In the meantime, PCSO has released a still image of three people that are wanted for questioning. Babeu said they were snapped using some of the stolen credit card information at another store.
The company operates Bashas' supermarkets, AJ's Fine Foods and Food City locations in Arizona and seven other states.
Bashas' full statement reads:
"We were recently the victim of a cyber attack by highly sophisticated criminals who gained access to parts of our systems to capture payment information. We are cooperating with federal law enforcement officials to undergo a thorough and exhaustive investigation.
"Bashas' is and has been compliant with all Payment Card Industry (PCI) security requirements. However, we recently located and removed a highly-sophisticated piece of malware that has never been seen before in the industry. The malware has been identified and contained, and we are working with forensic specialists and federal law enforcement officials in their investigation to find those responsible.
"We've also installed additional security measures (beyond what is required by the industry) to our point of sale and enterprise systems to further protect our customers' information from such attacks in the future.
"We have fielded some calls about this issue from customers in limited geographic locations. However, we are strongly encouraging all of our customers to closely monitor their debit and credit card transactions and to report any unusual activity.
"I just sent this new information to all of our stores letting them know that they need to post this update at every register. We sincerely apologize to our customers for any inconvenience this may cause, and if they have any additional questions, we ask that they contact our Customer Service Department at 480-883-6131."
Copyright 2013 CBS 5 (KPHO Broadcasting Corporation). All rights reserved. The Associated Press contributed to this report.