Illegal Skimmers Discovered in Supermarkets on Self-check Registers

Lucky Supermarket executives, foiled by criminals using wireless technology to download customer financial information from self-checkout terminals in Petaluma, Calif., and across the Bay Area, delayed notifying customers because they thought they had prevented a security breach, the Santa Rosa Press Democrat reported December 7. However, as officials took 3 weeks to diligently check each terminal at the 233 stores, criminals continued to access debit card and pin numbers and then began draining cash from bank accounts of Lucky customers. Most debit and credit card skimmers store data and then are physically retrieved by someone who downloads the information, the chief financial officer of the corporate owner, Save Mart Supermarkets, said. Because Lucky officials seized the devices, they believed any data in them was secure. On December 6, reports from Petaluma residents who discovered unauthorized withdrawals from their bank accounts after shopping at Lucky continued to pour into the Petaluma Police Department and swelled to 112, a Petaluma police lieutenant said. Also, more reports of suspicious bank withdrawals flooded the company's customer service hotline, company officials said. Officials eventually learned the devices transmitted financial data using Bluetooth wireless technology. The U.S. Secret Service is investigating what appears to be a widespread scheme. They sent the device for analysis to a unit with special technology skills, the CFO said. Lucky Supermarkets maintenance crews first noticed a suspicious device November 3 in a self checkout terminal at a Mountain View store, company officials said. On November 11, technicians began examining terminals at the company's stores across California and Nevada. They discovered out-of-place computer boards at 15 stores and removed them that day. The last suspicious device was removed November 16, and by November 22 technicians had checked all of the stores. The computer devices had been installed in one terminal per store. On November 23, the company posted an alert about the breach on its Web site, which it updated to include all 23 stores December 6.