Redwood Credit Union is reissuing 18,400 debit cards for customers whose financial information may have been stolen in what was described Thursday as a sophisticated cyber attack targeting the Raley's supermarket chain.
The number of potential victims is likely much greater than that reported Thursday by Santa Rosa-based Redwood, which is among several financial institutions that have customers who shop at Raley's, Bel Air and Nob Hill stores. The company operates 115 stores in California and 13 in Northern Nevada.
Anne Benjamin, Redwood's chief operating officer, said Thursday she could not recall another instance in which so many of the credit union's customers potentially have been affected by a cyber attack targeting a retailer.
She said such cases “happen a lot, and it happens to all financial institutions.”
She said as of Thursday, Redwood had confirmed 200 “fraud-related cases from the Raley's stores.”
One was from Petaluma resident Stan Culler, who was shocked to discover Thursday morning that someone had withdrawn $500 from his Redwood account the night before from an ATM in Las Vegas.
Culler said his wife shopped at a Raley's on North McDowell Boulevard in Petaluma only once this year, using the self-checkout line. The couple normally go to Lucky.
“That's like the worst lottery to hit ever,” he said.
The scam potentially dwarfs a 2011 case involving 140 Petaluma residents and more than 500 victims across the Bay Area whose financial information was stolen after they shopped at a Lucky store. The thieves slipped a card-reading device inside the self-checkout terminals at 24 of the chain's Northern California stores to collect data and transmit it over wireless networks.
However, a Raley's spokeswoman on Thursday said the West Sacramento-based supermarket chain had yet to confirm any cases of unauthorized access to customer card data.
That's after the company on June 6 broadcast a public alert that criminals may have been able to obtain customer payment card data, such as card numbers, expiration dates or magnetic stripe data, in what the supermarket chain described as a “complex, criminal cyber attack.”