March 2, 2015

Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country. The grocery chain says it is investigating “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.”

ngrocerIn response to questions from KrebsOnSecurity about a possible security breach, Lakewood, Colo. based Natural Grocers by Vitamin Cottage Inc. said it has hired a third-party data forensics firm, and that law enforcement is investigating the matter.

Natural Grocers emphasized that it “has received no reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution.”

“In addition, there is no evidence that PIN numbers or card verification codes were accessed,” the company’s statement continued. “Finally, no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system.”

Perhaps they aren’t reporting the fraud to Natural Grocer, but banking sources have told this author about a pattern of card fraud indicating cards stolen from the retailer are already on sale in the cybercrime underground.

According to a source with inside knowledge of the breach, the attackers broke in just before Christmas 2014, by attacking weaknesses in the company’s database servers. From there, the attackers moved laterally with Natural Grocers’ internal network, eventually planting card-snooping malware on point-of-sale systems.

Natural Grocers said that while its investigation is ongoing, the company has accelerated plans to upgrade the point-of-sale system in all of its store locations with a new PCI-compliant system that provides point-to-point encryption and new PIN pads that accept secure “chip and PIN” cards.

“These upgrades provide multiple layers of protection for cardholder data,” Natural Grocer’s emailed statement concludes. “The company is in the process of installing this new system at all 93 Natural Grocers stores in 15 states. The company takes data security very seriously and is committed to protecting its customers’ information. This is all the information the company is able to provide at this time, as the investigation into the incident is ongoing.”

48 thoughts on “Natural Grocers Investigating Card Breach

  1. Blah

    While upgrading the POS devices is good, that doesn’t begin to address the flaw that was apparently attacked in the first place: database servers.

    1. Cody Wood

      The flaw with the “database servers” does not need to be resolved if a ” point-to-point encryption” system is put in place. While the company may store some information on their systems that they do not want hacked it is unlikely they will even be a target if a p2pe solution is provided. “database servers” cannot be a flaw in and of itself.

      1. Blah

        Consider my comment a generalization then. The problem wasn’t necessarily the POS systems, but another flaw in their network.

        By treating a symptom – the POS system – we still don’t know what the illness is – how they got into the system in the first place.

      2. Cryptopunk

        P2p encryption is *not* going to solve the problem. If they got in thru a database vulnerability, that means they jumped all the way to the PoS and exploited a vulnerability there. Probably installed a keylogger on the PoS like in the case of target, via a virus. P2p encryption will not protect against a key logger or card skimmer.

  2. Taz

    Architecture 101, if I got all the way to your database, your weakness is well before that in your network or an application…the database is the last.

  3. B_Brodie

    I used to live in Denver and shopped there frequently. It’s a shame this has happened to them.

    They are a (more or less) responsible corporate citizen that treats their employees and customers well: imagine whole foods quality at kroger prices.

    That being said, like Michael’s and Home Depot, I commented more than once to my wife that they were probably vulnerable to being hacked because their windows based POS seemed a little long in the tooth.

    Their standard PR response indicates they have yet to transit the “seven stages of financial breach”: bewilderment, denial, obsfucation, realization, investigation, implementation, credit fraud monitoring.

    1. Sasparilla

      Love the “seven stages of financial breach” – that is classic and from what we’ve seen over the year(s) here proved out in real life experience.

    2. johnny_n

      “Long in the tooth” is correct… I still shop there frequently. I never second-guessed it, but if the machines look/feel old, then most-likely they’re truly outdated and vulnerable. Of course, everything seems vulnerable these days. Anyone read Marc Goodman’s Future Crimes? Eesh.

  4. Donald J Trump

    Every company upgrades their equipment after a breach,. It makes you wonder if they have real have the best interest of the custimer at hand.

    1. IA Eng

      HA! They do not. In my opinion, they simply ride that risk for as long as they can. IF they do get breached, the coffers are full. They can hit up insurance and write off any losses come tax time.

      IF people attempt to sue, they simply hire lawyers. The lawyers can simply say, with all the breaches that have occurred over the past 1.5-2 years, prove that this particular incident came from this breach.

      RONCO has to have a better way. One of the things that’s does not appear available are any lessons learned from these breaches. Brian has revealed some insight through interviews but, finding a common thread of why so many have happened – short of saying “code injection” – of a particular software, or package is not very clear.

      Software gets old and ignored. That’s all it takes. When staff changes the areas of responsibility become muddy and stuff falls through the cracks.

      1. IA Eng

        One more thing…. The people who do these attacks probably make some good money doing so. For some, it may be a full time job. So, if they are hammering at sites, probably sharing attack attempts, vulnerable sites and so forth on underground websites.

        Sure there are a bunch of script kiddies out there, but the dedicated hacker/crackers out there will eventually find a way to get in. The problem exists with network segregation /configuration and permissions/white-blacklists.

        Some of these networks are either dirt old, or the websites are on servers that aren’t properly maintained. There are a ton of scenarios such as an insider threat at 3rd party web provider, old antiquated software, insecure practices and the list goes on and on……

      2. CJD

        There is a fair amount of info out on the “how’s” of most of the breaches, although it is scattered around, and not always easy to find. Even inside the industry, there isn’t a lot of information sharing, which is sad. Part of that is not wanting to admit how it happened to try and shield liability, part of it is a PR move to hide how big the blunders are, along with some other crappy motives for not sharing.

        99% of the last 18 months of breaches have been either:
        A) Poor segmentation / controls between the corporate environment and the credit portion of the retailers network. They infiltrate through normal methods into the corp network, and then exploit poor segmentation and controls over the cardholder environment, and gain access to the POS registers, and install RAM scraping malware.
        B) Poor security on remote access into the retailer’s network that processes credit cards. These are usually the smaller breaches, where a retailer doesnt have staff, and they outsource the POS support.

        There have been some other breaches, but those two cover 99% and are all preventable. The keys are end to end encryption AND tokenization. The encryption only protects the card numbers during the transaction, if you are storing card numbers post transaction, you still have a huge hole, which is what tokenization solves. That said, it costs money, and most CIO /CFO / CEO’s don’t see the value in spending money that takes away from the bottom line on EVERY credit transaction. Its VERY hard to get that signature… me.

    2. Rick Blaine

      Well, you know what’s said all the time in business today…. if it ain’t broke don’t fix it, until its broke (into). 🙂


    Hmmm, let me fix part of the statement for them:

    “The company takes data security very seriously and is committed to protecting its customers’ information”

    “The company takes data security very seriously and is committed to protecting its customers’ information, now that we have breeched and it is public knowledge”

    1. nov

      KOS Readers: What policy stipulates the use of “[fill company/institution name in here] takes data security very seriously”?

      (The statement more-so to me is emblematic of being breached or waiting-to-be-breached with the ‘statement’ ready in it’s arsenal of stupid step-by-step procedures for what to do in the event of a breach).

      Also in the list of step-by-step procedures is “investigation into the incident”. Ensuring an investigation is done, so that at least something is done; but not so far as catching the perpetrators (if data was taken so ‘seriously’ I’d be reading more about perpetrators in custody, which I’m not) .

      1. BigBadJohn

        From my experience, if there was a policy related to this, it would be filed under either Business Continuity/Disaster Recovery, or Communications. It seems most medium to large companies have either an officer, agent, or group that is responsible for all communications to the general public. In the BC/DR plans in which I have partaken, there is usually a specific chain of personnel in which all non-emergency public requests are directed to.

        I wouldn’t doubt if statements like this aren’t part of some canned script that Comm people everywhere have been compiling…

        1. nov

          All. My more direct question is: Where is this joke-of-HR-comments canned from? These canned statements reinforce how the ‘canned security of their networks’ is not to be trusted. The ‘canned security of the network that these same companies are using is NOT working.

      2. CJD

        Its not that they don’t investigate deeply enough to find the source, its generally that the source has done a sufficient job at masking who they are, and / or the source leads back to a non-extradition country. Rarely are these breaches perpetrated by US actors.

  6. jim

    All of you white hats out there and no one found these vulnerabilities prior to the black hats and offered advice?
    But the ability to gripe at the vulnerable must be endemic.
    I suppose some of you are all a+ certified, never got a b in any subject that was ever presented to you. Climb off your high horses and get back into the real world. The world that people die because you erred. One server found to have a vulnerability? Was this a programming mistake or an physical mistake because the machine was getting to the eol and needed repairs, there is a difference that some of the machines are vurnable because of age problems. It wasn’t able to handle the update.

    1. Taz

      You assume that because we offer advice, that they would listen. Unfortunately it is quite the opposite. We find things, some of us are even hired to do pen tests for the company and we do, and we provide them detailed reports – and – silence – wait – wait for it – surely they’re going to do something – wait – wait – wait….. and nothing.

      So don’t assume that white hat hackers are on their high horse without good reason. We tell businesses about these things and it falls on deaf ears. Why? Because just like Target who paid out $1.2B in dividends on $21.8B in sales and the data breach cost them $162M…. the cost of the breach is “acceptable risk” or “acceptable cost of doing business” in their eyes. There’s little to no sense of “social responsibility” or “ethical, moral obligation” to protect their users data.

      So stop judging the white hats on high horses if you don’t know what has been done to give them the right to be on that horse.

    2. B_Brodie

      Well, I mentioned my concerns to the cashiers and the manager on duty on more than one occasion. They are powerless to act, and upper management doesn’t want to hear about problems, only solutions.

      At Natural Grocers, Michaels and Home Depot, (and other merchants) I have heard cashiers say on more than one occasion:

      “gee the POS is acting weird today”

      “I’m having to swipe cards two or three times to have the payment go through”

      “boy the POS is running slow today”

      When I hear those comments, the alarm bells go off. I’ve even heard these comments at merchants that shortly afterwards completely replaced their POS systems.

      This makes me wonder how many breaches are so small they are completely covered up by companies that have been victimized.

      Even if manager X said in a staff meeting “some of our customers who work in IT have expressed concerns about our POS security” or “the POS is really behaving strangely”, I’m seeing ‘deer in headlights’ expressions all around the conference table.

      It’s ultimately the IT/security staff’s responsibility to monitor the integrity of their payment infrastructure.

    3. JJ

      “All of you white hats out there and no one found these vulnerabilities prior to the black hats and offered advice?”

      Dude, that is a CFAA violation a.k.a. felony if you do not have the proper permission in hand first. And my first hand experience says the “client” will still lawyer up to shut you up. And it always gives me great pleasure (to myself only, of course) when I then show them that I wasn’t the first one. ‘Cause now they have a real problem and it isn’t me.

  7. Michael Kern

    As An IT Professional of 30+ years, I have experienced numerous people, vendor
    Software and hardware challenges. One writer above states that many layers of security must have been compromised if the attacker was able to get into the database. If only it was this easy. But with businesses trying to run the day to day part of the business, lapses of security happen. Let’s call it it security creep. You have good base security, but as vendors, employees, changes in security software, and the next thing you know (or don’t know) a security hole has I emerged. Of course if your full-time job is to find these good luck. You generally will be late to the party. Let’s all agree that the Internet has changed things. You would not consciociously move into a bad neighborhood that would threaten your children or family. You would not live with a den of thieves and other offenders, the Internet changes all of that. There are no simple answers, on tough questions .

    1. Mike

      “Let’s all agree that the Internet has changed things. You would not consciociously move into a bad neighborhood that would threaten your children or family. You would not live with a den of thieves and other offenders, the Internet changes all of that.”

      This is being done everyday. People are doing these things.

      The internet has definitely changed things though, certainly in the perceptions people have.

      There is this idea that in order to be “modern”, you must be “online”. This is so completely wrong. A computer is NOT useless if it’s not connected to the net. It is not required that a company acquire and hold onto it’s customers’ information in order to make money. Constant tracking/monitoring of everyone with the idea that everyone is a potential customer is a big part of the problem. There is not going to be just one thing that will fix this. There are many things to do. One of the most important things would be for people to actually learn something about how these machines work. The horrific nature of online advertising is also a big contributor to this. There just simply is no justifiable reason for most cash registers to be connected to the public web. Card readers shouldn’t be connected to the public web either; they need separate lines. Why are we accepting all this nonsense?

      Take a look at your cable set top boxes (for those that have cable). they do pull IP addresses but these IP’s are not seen or are even part of the open internet. This makes it so that the boxes can’t be hacked over the net. There are apps for certain things, but these apps go through the cable co. to access the box…not directly connecting to the box itself. This is just one example of what could be done.

      Here’s one:
      Why would the internal network of a store even be capable of accessing social media, porn, or any one of hundreds or thousands of other harmful things? It would make so much more sense for store (especially brick and mortar stores) to have their social media interests handled from somewhere else. It should not be so important for employees at Academy to look at Facebook pages. At best, no one on a store machine (especially non-management) should even be capable of going ANYWHERE but directly to (and ONLY) the Academy website.

      1. JCitizen

        Maybe back when cable was analog, but now that it is digital – I wouldn’t be so sure your cable connected device cannot be cracked from out side the cable company. Maybe it isn’t now, but I really wonder. Since switching to digital completely, I’ve noticed some of the weirdest behavor, like MCard module reboots for no reason. I call the ISP and ask if an update was pushred? No? Well then why is my smart TV rebooting for no reason now?

        I think they’ve already found a way into the cable systems. I remember when Dish TV units were being cracked from the dial up connections, and Dish denied, and denied, until it became news. Doh!

        1. Mike

          A cable box wouldn’t be capable of getting an IP over an analog connection. It is precisely the digital nature of the signal that allows for this.

          Although, since so many of these things are starting to get cloud support now….this too is changing. That in itself will cause all kinds of weird and off-the-wall behavior.

  8. petepall

    I also love the “seven stages” above. It’s too bad that often there isn’t an eighth: implementing an effectively maintained secure system.

    1. AT

      That would be a reasonable expectation, but often companies don’t seem to do this as much as one would expect.

      Take Chase, for instance. Mid-’14 they experienced a major breach. You’d think they’d implement a way to quickly respond to vulnerabilities after that.
      Then POODLE (TLS) was publicized in December. However, it took Chase at least six weeks to implement a patch.

  9. Rob Douglas

    Excellent work as usual, Brian. I passed this to a number of Colorado news outlets. We have a NG here in Steamboat Springs, CO and we have had a large amount of credit card fraud this ski season. We know that a number of other establishments have had security issues with credit card processing but, to my knowledge, there had not been any indications when it came to NG. I’ve also passed this to the local police and I hope they will follow up. Thanks again–

  10. Robert Scroggins

    If they have a security firm looking at things, how do they already know that no customer data was accessed?

    They take customer data seriously! Then I wonder why they have not had a security audit that might have found the hole(s).

    I also wonder if there really was an upgrade plan in effect prior to this incident(s).


  11. Tess Man

    “The company takes data security very seriously and is committed to protecting its customers’ information.”

    Someone should trademark that expression, since it is used almost daily with all the break-ins…

  12. Michael Shanklin

    The problem is malware was allowed to execute, as almost always with breaches…. it’s like a broken record. It’s time for companies to stop malware from executing, the problem is antivirus only blocks what is known/used before. This is why things like trust-listing are becoming popular. You can’t just let your devices sit open via firewalls and antivirus anymore, you can only allow trusted/safe applications.

    1. JJ

      Given that most so-called “trust list” or “whitelist” systems will whitelist anything that has a valid code-signing certificate and PKI is the 21st century equivalent of the Emperor’s New Clothes, they’re reasonably worthless. Except to the people hawking them, of course.

      If it was that easy everyone would buy them and toss everything else.

  13. Dick

    My local Home Depot has chip capable card readers, but chip reading still isn’t working there. Michael’s is the only store locally where I have seen it actually working.

    1. JJ

      That’s because Michael’s was breached multiple times and before Home Depot. October is coming up fast.

  14. JoeM

    Why does the date on this article say “March 15”???

  15. Rick Blaine

    We’ve found the solution ? to all this brick/stone credit card fraud. Go back to cash if possible and forget all those cash back incentives.

    Of course, you can still be robbed of your wallet/purse or simply short-changed. But at least the cash doesn’t have any i.d. info on it from me.

  16. Sam Webber

    The company is lieing about the scope of the breach. I am an employee at a store in Texas. Ten of the twenty employees have had fraudulent charges against their debt cards in the last week. We average about 600 customers a day. They have given us talking points to answer customer inquiries. It just lies.
    The Head IT guy quite recently in protest. He warned the owners that the system was outdated and that the company was in desperate need of a major overhaul. The owners ignored his advice based on the cost of updating the system.

  17. BJD

    Does anyone know the approximate breach timeline? (dates it started )

Comments are closed.