Talk about an unwelcome Christmas surprise! Shoppers who visited Safeway stores in California and Colorado found their bank accounts emptied after cybercrooks infiltrated the checkout terminals in card "skimming" scams.
"Safeway confirmed it is investigating skimming incidents at several stores," cybersecurity expert Brian Krebs wrote on his Krebs on Security blog. (He's the guy who broke the news about the huge Target data breach two years ago.) Safeway wouldn't say which of its stores were affected, nor how many, but Krebs said bank industry sources told him stores in the Colorado municipalities of Arvada, Conifer, Denver, Englewood and Lakewood were hit, along with Castro Valley and Menlo Park stores in California. The term "skimming" describes the process in which criminals scan and store card data, usually via small devices, and then use the accounts for their own purposes.
Only some checkout lanes in Safeway stores were affected, Krebs said. This isn't necessarily surprising: When Home Depot was the victim of a data breach last year, compromised self-checkout lanes were thought to be the culprit. Card skimming often pops up at gas stations, ATMs and other places where the payment terminals aren't always under the supervision of a cashier. Skimming devices are getting smaller and sneakier, so it's a good idea to pay attention when you swipe, since even small discrepancies in the PIN pad, card reader or surrounding case can possibly indicate tampering.
If you can swing it — and if you trust yourself to pay off the balance before you start racking up interest — using a credit card instead of a debit card gives you a bit more protection against fraudulent transactions.
Another way to protect yourself is to keep an eye on your debit card and credit card accounts — even if you don't shop at Safeway. Not only is it generally good advice to make sure there's nothing fishy going on, but many highly-publicized data breaches turned out to be bigger than first suspected. According to Krebs, a Safeway executive said that although the breach affecting its supermarkets was "small in scale," he suggested that other retailers could be affected, too.