URM Stores acts to notify and protect customers

URM Stores’ investigation of a criminal cyber attack in November is coming to a close. “We now know which stores were affected by the attack and that the incident was limited to credit and debit card transactions made in those stores during time periods that range from Sept. 1, 2013 to Nov. 24, 2013,” said URM in a press release.

A list of stores affected and the specific time frame for each store can be found at www.urmstores.com under the “Credit/Debit Card Announcements” link. Only transactions at stores on the list during the defined time period were affected.

Some local stores include: Barney’s Harvest Foods in Orofino, Asker’s Harvest Foods in Grangeville, A&B Foods 1 and A&B Foods 2 in Lewiston, Valley Lapwai Foods in Lapwai, Cloninger’s Harvest Foods in Kamiah, Phil’s Family Foods in Kendrick, and White Pine Foods in Deary (Sept. 2, 2013 only).

On Nov. 25, URM Stores announced that it had found signs of a criminal cyber attach against their payment processing system. The attack was similar to attacks reported by other grocery stores and retailers.

In response, URM Stores engaged a leading computer security firm to investigate, and notices were posted in every store and on URM’s website.

“We blocked the attack and implemented enhanced security measures to make our systems more secure,” said URM.

For most of the transactions, URM believes that the attacker or attackers could only access “track 2” data—information on a credit or debit card’s magnetic stripe that contains only the card account number, expiration date, and card verification number.

For a small number of transactions, the attacker may have had access to “track 1” data, which contains all the information of track 2, plus the cardholder’s name. No customer addresses, phone numbers, or Social Security numbers were compromised in the incident. Social Security numbers are not collected by URM at all.

URM does not have sufficient information to identify which specific cards or data track from cards were actually taken, according to the press release. A letter or e-mail message will be sent to a small group of individuals for whom URM believes their track 1 data may be at risk.

A dedicated call center remains open for customers who have questions. The number is 877-237-7408 and the call center is open Monday through Friday, 9 a.m. to 6 p.m. Pacific, and 10 a.m. to 2 p.m. Saturday.

URM assures shoppers that using their cards is now safe

United Retail Merchants (URM) a wholesale cooperative serving as many as 160 stores in Washington, Idaho and Montana, wasted no time to enhance security in their payment processing system, after a recent outbreak of fraudulent credit card cases were found to have originated at URM affiliated stores, to include Harvest Foods, Rosauers, Family Foods, Yokes, Super 1 Foods and Yoke’s stores.

URM stores issued a statement Dec. 2 announcing that they have finished implementing enhanced security measures designed to block the cyber-attack against its payment processing system. Customers may now resume using their payment cards (credit, debit, EBT, gift cards) in all member stores.

“Working with a leading payment card industry security firm, we have taken steps to block the attack,” said URM CEO Ray Sprinkle. “We are incredibly grateful to our customers for their patience and understanding. we are humbled by their support and continue to extend our sincere apologies for the frustration and inconvenience caused by this incident.” Sprinkle also commended the employees of URM and its member stores, “We are extremely proud of their dedication and hard work throughout this process.”

“We are learning from this experience and will continue to constantly look for ways to make our system more secure.” added Sprinkle.

Although this attack has been blocked from continuing, any card used before the attack was blocked (except separate stand-beside transactions) could have been accessed and may still be used to make fraudulent purchases. Thus, customers who used their card in a store before the attack was blocked out should continue to monitor their accounts for unauthorized charges and immediately report any such charges to the financial institution that issued their card.

Major credit card companies have “zero liability” policies that guarantee cardholders will not be responsible for fraudulent charges. Again, cards used through a separate stand -beside or dial-up system from Nov. 25 - Dec. 2 were not affected.

URM is working with the security firm, its payment processor, and the credit card companies to identify cards that may have been affected by this attack. After finding signs of the attack, the company devoted all of their efforts to stop it.

The investigation will now turn towards identifying the stores that were affected and for how long. When that occurs, alerts will be sent out to the companies that issued cards which might still be at risk. After they receive alerts, those companies can apply enhanced monitoring techniques or cancel and reissue the cards to protect their cardholders. We are also working with law enforcement to apprehend those responsible.

A dedicated call center remains open for customers who have questions. Customers may call (877) 237-7408, Monday through Friday, 9 a.m. – 7 p.m. PT and 10 a.m. - 2 p.m. PT on Saturday. Up to date information can always be found on the URM web site at www.urmstores.com under the “Credit/Debit Card Announcements.”