June 12, 2015

Fred’s Inc., a discount general merchandise and pharmacy chain that operates 650 stores in more than a dozen states, disclosed today that it is investigating a potential credit card breach.

fredsKrebsOnSecurity contacted Fred’s earlier this week, after hearing from multiple financial institutions about a pattern of fraud on customer cards indicating that Fred’s was the latest victim of card-stealing malware secretly installed on point-of-sale systems at checkout lanes.

Sources said it was unclear how many Fred’s locations were affected, but that the pattern of fraudulent charges traced back to Fred’s stores across the company’s footprint in the midwest and south, including Alabama, Arkansas, Georgia, Indiana, Kentucky, Louisiana, Mississippi, Tennessee and Texas.

Reached for comment about the allegations, the company issued the following response today:

Fred’s Inc. recently became aware of a potential data security incident and immediately launched an internal investigation to determine the scope of the issue. We retained Mandiant, a leading independent forensics firm, to examine our data security systems.

We want to assure our customers that protecting their information is one of our top priorities and we are taking this potential incident very seriously. Until this investigation is completed, it will be difficult to determine with certainty the scope or nature of any potential incident, but we will continue to work vigilantly to address any potential issues that may affect our customers.

I am hearing about so many different retail breaches at retail and restaurant chains right now that I could do nothing but write about them full time and still fall behind.

A quick note about this blog: I’ve been on vacation for the past two weeks in Australia and New Zealand, which is why posting has been sporadic at best of late. Also, a glitch in our email server prevented many readers from receiving notifications of new updates over the last few weeks. Fixing the glitch caused subscribers to receive 10 days’ worth of email notifications all at once. Sorry for the inconvenience.


19 thoughts on “Discount Chain Fred’s Inc. Probes Card Breach

  1. VPN Germany

    It’s always the same stupid excuse, we are going to investigate using Mandiant , and that we will protect our customors after the breach takes place, never before.

    It’s the same B.S. Boilerplate response. It’s like the federal government you never ever get a straight answer or facts to anything.

    Snowden for President 2016

  2. Stephen

    Seems that it is safer to assume your card will be hacked when using it than not to. How sad!!

    1. George G

      As I learned from this blog, with security breaches

      It is not a question of IF, but WHEN.

    2. Eric

      I concluded some time ago that paying cash whenever/wherever possible is the best defense.

      Gradually EMV is coming online at various merchants. And if not that then NFC. But using just the magnetic stripe is an absolute last resort for me.

        1. tmiw

          Only if the retailer’s already enabled the EMV slot at the bottom. A lot have yet to do that and are running NFC transactions in magstripe mode. It’s still an improvement if you use something like Apple Pay though.

  3. George G

    “We want to assure our customers that protecting their information is one of our top priorities”

    Well, Fred’s, we have proof of that in this article 🙂

  4. George G

    Brian, enjoy your well deserved vacation!

  5. Tom

    I don’t even bother using cards for small purchases anymore … just not worth the risk!

  6. Carl T.

    I don’t even worry about CC breaches anymore. Either the card issuer catches it and freezes the card or I catch it ( transaction alerts) and freeze the card. Worst case the merchant or issuer eat it, my liability is zero.

    1. Robert.Walter

      I think this IS the thing for folks to remember, credit cards are still the safest payment method (short of something like apple pay via NFC) because of the card issuers zero liability policies.

  7. jim

    If you will go back to about 1985, and restart reading the 2600, you will notice a upcoming theme. NFC was broken on implemation. And don’t blame the hackers, blame the college profs that hacked it. Even then they had to write papers, and the fastest way to warn everyone, then, was the 2600.
    If I remember right from then, the copier only had to be within 10 foot of the reader. If I remember the last article, within 600 foot, of a card. Then just let your computer churn away. Safer, until they get the first four numbers…

  8. CJD

    Brian,

    Maybe a continuing post that you update weekly (or more if needed) just listing the current breaches you have heard of, with a status like “suspected” “confirmed” etc? It would be nice to see all the data in one place.

  9. wombat94

    I’ve said it a number of times in comments on this blog.

    I’ve evolved my approach to using credit cards over the years in order to limit disruption due to breaches. Now, in the last two years, I have had a card number stolen/replaced about every 5 to 6 months and it no longer bothers me.

    Here’s what I do:

    1. Debit cards are NEVER used at anything other than an ATM. Add to this the fact that in our area my bank puts ATM inside all of the dominant local gas/convenience store chain’s branches that are open 24×7 and typically have a lot of traffic, and I feel my ATM use is as secure from skimmers as I’m going to get.

    2. Credit cards are segregated into three main categories. First is ONE card that is used for all recurring billing arrangements. That card is NEVER used at retail point of sale. After years of having to go to all of the recurring billing and change the credit card number after a card being stolen in a point of sale breach, this has kept me from having to update my billing preferences for online services for nearly 18 months now… some kind of personal record.

    3. The second category of credit card is the main card that we carry and use for day-to-day retail purchases. We chose our best option on a reward card and use that for the main purchase card. In addition, the card that we chose for this is one that has a separate account number for my card vs. my wife’s card… when (not if) one of us has been breached, the other one doesn’t have to get a new card also. Since this has no recurring billing tied to it now, if we are breached and get a new account number it is just a minor inconvenience for a couple of days.

    4. We have at least one other card (usually two) that are used for special purchases or unusual circumstances only (for us AMEX is used either for travel purchase benefits and Costco purchase). These cards also serve as backup cards to be used for convenience if/when the primary card is breached so if it takes a few days to get a new card, we can still make purchases as necessary.

    5. Finally, I have added Apple Pay to the mix within the last month. The utility is limited until NFC really reaches higher levels of penetration in the market (which I expect to happen in the second half of this year as the EMV mandate really kicks in and lots more retailers step up their Pin Pad replacement projects). Apple Pay (or really EMV Tokenization if you want to get technical) and the ability to delete/reset the device account number at will and instantly get a new one without ever having to present or put at risk the real account number – is the next step in convenience for consumers while providing a way to eliminate/limit the fraud.

    Other than the inconvenience, I’ve never lost a penny to actual credit card fraud in the last 20 years.

  10. ERic

    EMV is NOT a mandate/rule/law. It is a liability shift so that IF a retailer is EMV-ready/capable and gets breached, they are no longer liable for the chargebacks. It goes to the one that is LEAST EMV-capable.

    To say it is a mandate is just wrong. EMV won’t be widespread for at least a few more years as retailers and restaurants shift.

    Source: I work for a POS reseller and we are looking at the EMV shift carefully right now. It is going to be a nightmare and I honestly doubt a lot of retailers will go to it right away. I could honestly see cash becoming more dominant again, but we shall see.

    1. tmiw

      It’s going to be a ton better for smaller businesses IF they upgrade. A lot of them have no POS to worry about, just a card machine (which is likely leased and will eventually get replaced automatically). Even if they use a POS, it’s likely something like Clover or Square, the latter of which is coming out with a free EMV/NFC reader this fall.

      The businesses that insist on a fully integrated POS/payment setup for rewards, customer tracking or some other reason are the ones who will have the hardest time migrating IMO.

  11. Andy

    Until the number of people embarrassed or otherwise detrimentally affected by disclosed private data reaches a critical mass, the systems that allow these breaches to occur will continue operating.
    The incredible thing is, neither the magnitude of breach consequences nor the utter insufficiency of the “responses” has been explicated by the media.

    Identity theft is the least of repercussion.

  12. Stienke

    This particular breach made me laugh,
    1. I am a Veteran; Strike one
    2. Applied for serveral government postions; Strike two
    3. recieved letter from Homeland Security RE: Keypoint Breach.

    I am wiating for the notification that my security clearance information was breached…

    3 cheers for….oh wait nevermind!

Comments are closed.