Data Security Update

Please Click Here to View the Press Release from September 29

Frequently Asked Questions
AB Acquisition, LLC

Q: What happened?
We recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of our stores, which could include name, account number, expiration date or other numerical information. Importantly, sensitive information (like Social security numbers, birthdates or driver’s license information), and other personal information were not affected, because that information is not collected as part of the payment process.

The appropriate federal law enforcement authorities have been notified, and we are working closely with our IT services provider, SUPERVALU, to better understand the nature and scope of the incident. Third-party data forensics experts are supporting an ongoing investigation. We have not determined that any cardholder data was in fact stolen, and currently have no evidence of any misuse of any such data. We believe that the intrusion has been contained and are confident that our customers can safely use their credit and debit cards in our stores.

UPDATE: September 29, 2014

We were recently notified by our IT services provider, SUPERVALU, of a separate, more recent attempted criminal intrusion that sought to obtain payment card information in some of our stores. This separate intrusion apparently occurred in late August or early September.  We have been informed that different malware was used in this recently discovered incident than was used in the incident previously announced on August 14, 2014. The new malware may have captured account numbers, expiration dates, other numerical information and/or cardholder names.

Importantly, sensitive information (like Social security numbers, birthdates or driver’s license information), was not affected in either incident, because that information is not collected as part of the payment process.

We promptly notified federal law enforcement authorities of this separate criminal intrusion and we are cooperating in the efforts to investigate this matter and identify those responsible.  Third-party data forensics experts are supporting an ongoing investigation into these incidents.  There has been no determination at this point that consumer data has been stolen as a result of either event.

Q: What stores were affected?
Jewel-Osco stores in the following states were impacted:  Illinois, Indiana, and Iowa.

UPDATE: September 29, 2014

Based on the information we currently know, it is not believed that any customer data was stolen. However, out of an abundance of caution, if you used your credit or debit card in a potentially affected store between June 22, 2014 and July 17, 2014 or between August 27, 2014 and September 21, 2014, you should monitor your credit and debit card account and promptly contact the bank that issued your payment card if you see suspicious activity.  Stores in the following states were potentially affected: Illinois, Indiana, and Iowa

Q: When did this event happen and what did you do about it?

Based on our current investigation, it appears that the unauthorized access may have started as early as June 22, 2014 in our stores, and action was taken to contain the incident July 17, 2014. The appropriate federal authorities have been notified. We are working closely with our IT services provider, SUPERVALU. Third-party forensics experts are supporting an ongoing investigation. From information we have at this time, we do not believe that any customer data was taken.

UPDATE: September 29, 2014

We recently learned from our IT services provider, SUPERVALU, that it appears a criminal intruder installed different malware on payment card systems in late August or early September 2014.  The investigation into these events is ongoing.  From information we have at this time, there has been no determination that any customer data was stolen as a result of either incident.

Measures have been taken to prevent further use of this new and different malware in the affected store locations. We are also implementing additional measures to enhance the protection of customer payment card data.

Q: Am I at risk for identity theft or fraudulent use of my credit card?
It is unlikely that you are at risk of identity theft due to this incident. Generally, identity theft requires criminals to have access not only to your name and credit card information, but also your Social Security Number. That information is not captured in our payment process and could not have been accessed in this incident.

Q: Who should I call if I see suspicious activity in my bank or credit account transactions?
If you see unusual or suspicious activity on a payment card that you used at our store, you should immediately call the phone number on the back of that card to report it to the issuing bank. They can walk you through the steps to dispute the charges and protect your financial accounts.

UPDATE: September 29, 2014

Q: Will my bank or credit card company re-issue a new card to me because of these events?

Each financial institution that issues credit cards independently determines whether your payment card should be re-issued depending upon its policies and procedures.  If you have any questions or concerns about your card, you should call the phone number on the back of that card.

Q: I received a call, text or e-mail from someone who said they were from Jewel Osco or one of your other banners asking for my social security number, credit card number, and/or other personal information. What should I do?
We do not request this type of information by phone, text or email, so you should not respond. Identity thieves often try to take advantage of situations like this. Please take down their information and report this scam to the authorities.

Q: What are you doing so it doesn’t happen again?
We are committed to protecting the security of our customer’s personal data, and we are working closely with SUPERVALU to implement additional security measures to reduce the likelihood that no such incident ever happens again.

UPDATE: September 29, 2014

We are committed to protecting the security of our customer’s personal data.  Measures have been taken to prevent further use of this new and different malware in the affected store locations.  We are also implementing additional security measures to enhance the protection of our customers’ payment card data.

Q: What protections are being offered by Jewel Osco or its other store banners?
We are taking steps to protect your credit and debit card information. We will be providing one year of complimentary identity protection to affected customers. This coverage includes automatic protection with AllClear Secure for the next 12 months – there is no action required on your part to receive or enroll in this service. If a problem arises, simply call 1-855-865-4449 after Tuesday, August 19th, Monday through Saturday from 8:00am-8:00pm CT and a dedicated investigator will assist you in restoring your identity to its accurate state. Additional identity protection services that includes identity theft monitoring and a $1 million identity theft insurance policy will also be available. At that time more information about these services will be available at https://abacquisition.allclearid.com.

UPDATE: September 29, 2014

Although it has not yet been determined whether any payment card data was in fact stolen, we are providing one year of complimentary identity protection to affected customers. In an abundance of caution since it is early in the investigation, if you shopped at one of our affected stores between June 22, 2014 and July 17, 2014 or between August 27, 2014 and September 21, 2014, you will receive automatic protection with AllClear Secure for the next 12 months – there is no action required on your part to receive or enroll in this service. If a problem arises, simply call 1-855-865-4449 Monday through Saturday from 8:00am-8:00pm CT and a dedicated investigator will assist you in restoring your identity to its accurate state. Additional identity protection services that includes identity theft monitoring and a $1 million identity theft insurance policy is also available. More information about these services may be found at https://abacquisition.allclearid.com.

UPDATE: September 29, 2014

Q: Do the identity protection services provided include credit monitoring?

No.  While it is always a good practice to review your credit report each year, it is unlikely that misuse of your payment cards will show up on your credit report because credit reports do not list individual transactions.  That’s why we are providing the complimentary services from AllClear Secure to potentially impacted customers that provides a dedicated investigator to assist if a problem arises regarding your payment card.  More information about these services may be found at https://abacquisition.allclearid.com.

Q: If I have additional questions, who can I contact?
Beginning August 19, you may call our toll-free customer information hotline at 1-855-865-4449 Monday through Saturday from 8:00am-8:00pm CT and a dedicated security professional will assist you in protecting your credit information. You can also reach out to us through Facebook www.facebook.com/jewelosco or through our website, www.jewelosco.com.

Q: Will I receive any additional information or updates?
We will update this online information page with updates on the ongoing investigation.

MORE INFORMATION:

We understand that you may want more information on other actions you might consider. Additional information generally about data breaches can be obtained from the Federal Trade Commission by contacting the agency toll-free at 1-877-ID-THEFT (438-4338) (TTY: 1-866-653-4261), or writing to Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

A free copy of your credit report can be obtained from each of the credit bureaus once a year by going to http://www.annualcreditreport.com online, or calling toll free 877-322-8228. Hearing impaired consumers can access TDD service at 877-730-4104. You should monitor these reports. You may also place a fraud alert or security freeze on your credit report by contacting the credit bureaus as listed below.

Equifax
P.O. Box 740241
Atlanta, GA 30374
888-766-0008
www.equifax.com

Experian
P.O. Box 9554
Allen, TX 75013
888-397-3742
www.experian.com

TransUnion
P.O. Box 6790
Fullerton, CA 92834
800-680-7289
www.transunion.com

A security freeze will prevent new credit from being opened in your name without the use of a personal identification number or password that will be issued by the credit bureaus after you initiate the freeze. A security freeze will also prevent potential creditors from accessing your credit report without your authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, mortgages, employment, housing or other services. In order to place a security freeze, you may be required to provide the credit bureaus with information that identifies you, including your full name, social security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement. Credit bureaus may charge a fee up to $10 to place, lift, or remove the security freeze; however, this fee may be less in certain states (in MA, up to $5) or waived if you are the victim of identity theft and you provide a valid police report. You must separately place a security freeze on your credit file with each credit reporting agency.

Filing a Police Report for Suspicious Activity:
If you do find suspicious activity on the credit or debit card indicated in our notice to you or in your credit report, call your local police or sheriff’s office and file a police report of identity theft. Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records. In addition, you should report identity theft to your Attorney General and the Federal Trade Commission.

For Maryland Residents: The Maryland Attorney General provides information regarding identity theft at http://www.oag.state.md.us/idtheft/index.htm. You may also contact the Identity Theft Unit at (410) 576-6491, by email at idtheft@oag.state.md.us, and by mail at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202.