Hackers Cracked Into Natural Grocers’ Registers

Customer credit and debit card information on Natural Grocers’ cash registers has been illegally accessed; what’s being done with that information remains to be seen.

According to KrebsOnSecurity, sources in the financial industry have seen evidence that hackers have acquired customer payment card data from various locations of the grocery chain nationwide.

In an emailed statement to KrebsOnSecurity, the Lakewood, Colorado-based Natural Grocers expressed that it “has received no reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution,” and that “there is no evidence that PIN numbers or card verification codes were accessed. Finally, no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system.”

KrebsOnSecurity has received contradictory reports to Natural Grocers’ statement, however, citing anonymous  sources that have seen evidence that cards stolen from the chain are already being sold on the black market. According to one of these sources, the hackers accessed Natural Grocers’ servers just before Christmas 2014 and planted malware on its point-of-sale systems.

Natural Grocers has told KrebsOnSecurity that it has hired a third-party data forensics firm and that the matter is under investigation by law enforcement. Meanwhile, says the report, the company has hastened efforts to improve the security at the point of sale in all of its locations.

“These upgrades provide multiple layers of protection for cardholder data,” concludes the company’s statement, according to the report. “The company is in the process of installing this new system at all 93 Natural Grocers stores in 15 states. The company takes data security very seriously and is committed to protecting its customers’ information.”