Lucky Supermarket executives, outwitted by criminals using wireless technology to download customer financial information from self-checkout terminals in Petaluma and across the Bay Area, delayed notifying customers because they thought they'd prevented a security breach.
However, as officials took three weeks to diligently check each terminal at the company's 233 stores, criminals continued to access debit card and pin numbers and then began draining cash from bank accounts of unsuspecting Lucky customers.
"We actually at that point thought that we had prevented any data breaches," said Stephen Ackerman, chief financial officer of Lucky's corporate owner, Modesto-based Save Mart Supermarkets.
<NO1><NO>Most debit and credit card skimmers store data and then are physically retrieved by someone who downloads the information, he said.
Because Lucky officials had seized the devices, they believed that any data in them was secure, Ackerman said.
On Tuesday, reports from Petaluma residents who discovered unauthorized withdrawals from their bank accounts after shopping at Lucky continued to pour into the Petaluma Police Department and had swelled to 112, Petaluma Police Lt. Tim Lyons said. One person discovered six separate withdrawals Monday that totalled about $3,000, he said.
"People's accounts are still being accessed," Lyons said.
And more reports of suspicious bank withdrawals flooded the company's customer service hotline from people across the Bay Area, company officials said. Customer service workers fielded more than 1,500 calls Tuesday from people concerned about the breach.
<NO1><NO>Ackerman described the device as a computer board with memory chips that can read card data and track numbers entered into pin pads.
Officials eventually would learn that the devices appeared to transmit financial data using Bluetooth wireless technology.
He said a person could access data from the parking lot.
"It's unprecedented," said Ackerman.
A U.S. Secret Service financial crimes unit based in San Jose now is investigating what appears to be a widespread scheme. They sent the device for analysis to a Chicago unit with special technology skills, he said.
Lucky Supermarkets maintenance crews first noticed a suspicious device Nov. 3 in a self checkout terminal at a Mountain View store, company officials said.
It took several days for word to reach managers at the company's Modesto headquarters, Ackerman said.
A week later on Nov. 11, technicians began examining terminals at the company's stores across California and Nevada. They discovered out-of-place computer boards at 15 stores, including the Petaluma store on Lakeville Highway, and removed them that day.
On Nov. 14, Ackerman said he delivered a tampered unit to the investigation department of the manufacturer, Verifone.
Three days later, Verifone staff sent Ackerman an email with "a forensic report saying, &‘We think you have a problem,'" he said.
"At that point in time, we got everybody involved, we got law enforcement involved and called the Secret Service," Ackerman said.
The last suspicious device was removed Nov. 16 and by Nov. 22 technicians had checked all of the company's 233 stores. The computer devices had been installed in one terminal per store.
"At that time, we didn't necessarily know what the tampering involved. We didn't know what they were capturing and not capturing," said a Save Mart Supermarkets spokeswoman, Alicia Rockwell .
The next day, Nov. 23, the company posted an alert about the breach on its web site, which it updated to include all 23 stores Tuesday.