Cyber attack hits Bashas' chain of stores

Posted: Updated:
By Mike Gertzman By Mike Gertzman
The Pinal County Sheriff's Office is asking for the public's help to identify the individuals in this photo. By Jennifer Thomas The Pinal County Sheriff's Office is asking for the public's help to identify the individuals in this photo. By Jennifer Thomas

PINAL COUNTY, Ariz. -- Pinal County authorities said hundreds of reports of fraudulent credit/debit card transactions have been linked to a cyber attack on a chain of grocery stores.

The Pinal County Sheriff's Office has received more than 400 reported cases since Jan. 18. The fraudulent charges to victims' accounts have occurred in Arizona, Texas, Illinois, New York, New Jersey, Georgia, Connecticut, North Carolina, Italy, France, Canada and Mexico.

Investigators have determined that the victims had all used their credit or debit cards at either Bashas', AJ's Fine Foods and/or Food City locations to make purchases.

The sheriff's office has been working with federal, state and city law-enforcement agencies on this case.

According to PCSO spokesman Tim Gaffney, the store chain became the victim of a cyber attack, which began last June or July. Suspects were able to gain access to parts of the security system used to capture payment information from customers.

Gaffney said the highly sophisticated piece of malware software has been identified and contained, but customers are being warned to check their credit card and debit card transactions.

The sheriff's office is asking for the public's help to identify the three males pictured in the above photo who are considered investigative leads. Anyone with information about their identities or whereabouts can call 520-866-5111.

"All Pinal County citizens who have reported the frauds have had their bank accounts reimbursed," Sheriff Paul Babeu said. "Numerous investigators from various law enforcement agencies are working around the clock to find those responsible and put them behind bars."

Bashas' Family of Stores released the following statement Tuesday afternoon:

"We were recently the victim of a cyber attack by highly sophisticated criminals who gained access to parts of our systems to capture payment information. We are cooperating with federal law enforcement officials to undergo a thorough and exhaustive investigation.

"Bashas' is and has been compliant with all Payment Card Industry (PCI) security requirements. However, we recently located and removed a highly-sophisticated piece of malware that has never been seen before in the industry. The malware has been identified and contained, and we are working with forensic specialists and federal law enforcement officials in their investigation to find those responsible.

"We've also installed additional security measures (beyond what is required by the industry) to our point of sale and enterprise systems to further protect our customers’ information from such attacks in the future.

"We have fielded some calls about this issue from customers in limited geographic locations. However, we are strongly encouraging all of our customers to closely monitor their debit and credit card transactions and to report any unusual activity.

"I just sent this information to all of our stores letting them know that they need to post this update at every register. We sincerely apologize to our customers for any inconvenience this may cause, and if they have any additional questions, we ask that they contact our Customer Service Department at 480-883-6131.

"This is what we know as of now. If/when we learn anything more, we will be sure to share it with you and with our customers."