Lucky Supermarket executives, outwitted by criminals using wireless technology to download customer financial information from self-checkout terminals in Petaluma and across the Bay Area, delayed notifying customers because they thought they'd prevented a security breach.
However, as officials took three weeks to diligently check each terminal at the company's 233 stores, criminals continued to access debit card and pin numbers and then began draining cash from bank accounts of unsuspecting Lucky customers.
“We actually at that point thought that we had prevented any data breaches,” said Stephen Ackerman, chief financial officer of Lucky's corporate owner, Modesto-based Save Mart Supermarkets.
Because Lucky officials had seized the devices, they believed that any data in them was secure, Ackerman said.
On Tuesday, reports from Petaluma residents who discovered unauthorized withdrawals from their bank accounts after shopping at Lucky continued to pour into the Petaluma Police Department and had swelled to 112, Petaluma Police Lt. Tim Lyons said. One person discovered six separate withdrawals Monday that totalled about $3,000, he said.
“People's accounts are still being accessed,” Lyons said.
And more reports of suspicious bank withdrawals flooded the company's customer service hotline from people across the Bay Area, company officials said. Customer service workers fielded more than 1,500 calls Tuesday from people concerned about the breach.
Officials eventually would learn that the devices appeared to transmit financial data using Bluetooth wireless technology.
He said a person could access data from the parking lot.