Redwood Credit Union is reissuing 18,400 debit cards for customers whose financial information may have been stolen in what was described Thursday as a sophisticated cyber attack targeting the Raley's supermarket chain.
The number of potential victims is likely much greater than that reported Thursday by Santa Rosa-based Redwood, which is among several financial institutions that have customers who shop at Raley's, Bel Air and Nob Hill stores. The company operates 115 stores in California and 13 in Northern Nevada.
Anne Benjamin, Redwood's chief operating officer, said Thursday she could not recall another instance in which so many of the credit union's customers potentially have been affected by a cyber attack targeting a retailer.
She said such cases "happen a lot, and it happens to all financial institutions."
She said as of Thursday, Redwood had confirmed 200 "fraud-related cases from the Raley's stores."
One was from Petaluma resident Stan Culler, who was shocked to discover Thursday morning that someone had withdrawn $500 from his Redwood account the night before from an ATM in Las Vegas.
Culler said his wife shopped at a Raley's on North McDowell Boulevard in Petaluma only once this year, using the self-checkout line. The couple normally go to Lucky.
"That's like the worst lottery to hit ever," he said.
The scam potentially dwarfs a 2011 case involving 140 Petaluma residents and more than 500 victims across the Bay Area whose financial information was stolen after they shopped at a Lucky store. The thieves slipped a card-reading device inside the self-checkout terminals at 24 of the chain's Northern California stores to collect data and transmit it over wireless networks.
However, a Raley's spokeswoman on Thursday said the West Sacramento-based supermarket chain had yet to confirm any cases of unauthorized access to customer card data.
That's after the company on June 6 broadcast a public alert that criminals may have been able to obtain customer payment card data, such as card numbers, expiration dates or magnetic stripe data, in what the supermarket chain described as a "complex, criminal cyber attack."
"We do not have any evidence at any point or time that this was a successful infiltration," company spokeswoman Nicole Townsend said Thursday. "However, we have signs that there was an attack."
Benjamin, with Redwood, called Townsend's statement "interesting."
"That's kind of counter to what their press release was to the whole situation," Benjamin said.
She said Visa notified Redwood on about June 7 that several thousand accounts held by the credit union could have been affected by the Raley's cyber attack. The accounts represented customers who had shopped at one of Raley's stores during the period of time when the suspected breach occurred.
Benjamin said the credit union began monitoring those accounts for suspicious activity and sent alerts to customers warning them of the potential security breach. She said Redwood also began the process of issuing new debit cards to 18,400 customers but did not immediately close those accounts.
"You don't just want to cut people's cards off because they need them. They're never going to take a loss on any of those cards," she said.
The online message Culler received from Redwood two weeks ago said his account would be closed July 30, or immediately, if Redwood spotted "an increase in fraud issues related to this incident." In the meantime, the credit union was sending him a new debit card.