Ultimately, the Lucky supermarket chain may be blameless for why it was the target of a sophisticated plot to steal customers' credit and debit card information. After all, when it comes to the risks of losing personal information, it's a cowardly new world out there.
But Lucky officials fully deserve the flak they're receiving for their glacial pace in alerting customers once it was clear that a big problem existed. By all appearances, the culprits of this scam profited from that nearly three-week delay, and now customers, some of them on the North Coast, are paying the price.
Consider the timeline.
Lucky said the problem surfaced as far back as Nov. 3, when maintenance crews noticed a suspicious device in a self-checkout terminal at a Mountain View store.
It took eight days for that information to find its way to the Modesto headquarters of the store's corporate owner and for technicians to begin examining terminals in other Lucky locations. The search turned up similar devices in 15 stores, including one on Lakeville Highway in Petaluma.
Company officials then notified law enforcement as well as Verifone, the company that provides the electronic payment systems for customers to pay by debit or credit card. Verifone confirmed that the devices posed a security risk. The company then conducted a thorough search of all 233 Lucky outlets in California and Nevada.
By all accounts, the company contacted everyone it needed to — everyone except customers.
"We actually at that point thought that we had prevented any data breaches," said Stephen Ackerman, chief financial officer of Save Mart Supermarkets, the corporate owner of Lucky's.
Even if it had prevented such a breach, didn't customers deserve the benefit of the doubt? Shouldn't they have received a direct warning through the media alerting them that a computer board designed to steal card data and track numbers had been up for who-knows-how-long at many Bay Area stores and that they should watch their bank accounts carefully?
Reports of suspicious bank withdrawals soon began to circulate, including in Petaluma. According to Ackerman, the company has since fielded more than 1,500 calls.
Petaluma police said that as of Tuesday they had received 112 calls from people regarding unauthorized withdrawals. As Staff Writer Julie Johnson reported Wednesday, one person discovered six separate withdrawals totalling about $3,000. That discovery was made as recently as Monday.
Police are encouraging Lucky customers to look carefully at their bank statements from October through this month.
Let's be clear. Lucky officials aren't the bad guys here. That distinction belongs to the flimflammers who have been trolling for people's financial information and deserve to be deposited in a secure jail cell. Nevertheless, any company that handles customers' financial data is obligated to zealously protect that information and alert customers anytime there's a potential risk. In this case, Lucky customers weren't so fortunate.
Read all of the PD's fire coverage here