“Eggs, Milk, Bread…And While You’re at It, Pick Up Some PII”

By Shawn Dougherty September 1, 2014

Shawn DoughertyHow many of you or your spouses have a supermarket check-cashing card? And how many of you now take advantage of ordering your groceries online and paying with your credit card?

Living in the New York metropolitan area and striving to get the best possible prices on groceries for our family (which includes a bottomless-pit teenage boy who makes it his daily challenge to eat us out of house and home), my wife and I have check-cashing cards and order groceries online from no less than three different supermarkets.

Recently, another supermarket chain, SuperValu, reported that its computer systems had been hacked and that some of its customers personally identifiable information (PII) — including customer names, credit card account numbers, and expiration dates — may have been stolen from 180 of its stores earlier this summer.  That got me thinking. How safe is it to go grocery shopping anymore?

Granted, supermarket data breaches are not a new phenomenon; they’ve been happening for years.

My first recollection of one was in 2008 when the Hannaford Brothers Companies reported that 4.2 million credit and debit card numbers used at its supermarket chain had been compromised over several months spanning 2007 and 2008. I recall it bring one of the first “big” data breaches coming to light and my being surprised at how large a breach it was. (The Hannaford breach seems to pale in comparison to today’s breaches, doesn’t it?)

Over the years, other supermarket chains were hacked. In 2013, there was the Schnucks breach. This year alone, in addition to SuperValu, some of the nation’s better-known supermarket chains reported data breaches, including Albertsons, ACME, and Shaw’s. And though Target is well known as a large retail store, many of its locations now sell groceries in direct competition with local supermarkets, so you really need to count it as well.

Some might think that only larger supermarket chains are at risk, but that’s not true. For example, look at Uncle Giuseppe’s Marketplace, a five-store chain located on Long Island, New York. Earlier this year, it too announced that three of its stores had suffered data breaches resulting in customer information potentially getting into the wrong hands.

The more I investigate cyber-related issues and data breach statistics, the more convinced I become that nobody’s information is truly safe anymore. It doesn’t matter if your confidential PII or PHI (protected health information) is in the hands of your healthcare professional, financial institution, educational institution, religious organization, or even your supermarket, great care must be taken to protect it.

It will be interesting to see how the next few years play out.

To learn about ISO’s various cyber offerings, visit the ISO Cyber Risk Solutions website, www.verisk.com/cyber, or e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.