Ultimately, the Lucky supermarket chain may be blameless for why it was the target of a sophisticated plot to steal customers' credit and debit card information. After all, when it comes to the risks of losing personal information, it's a cowardly new world out there.
But Lucky officials fully deserve the flak they're receiving for their glacial pace in alerting customers once it was clear that a big problem existed. By all appearances, the culprits of this scam profited from that nearly three-week delay, and now customers, some of them on the North Coast, are paying the price.
Consider the timeline.
Lucky said the problem surfaced as far back as Nov. 3, when maintenance crews noticed a suspicious device in a self-checkout terminal at a Mountain View store.
It took eight days for that information to find its way to the Modesto headquarters of the store's corporate owner and for technicians to begin examining terminals in other Lucky locations. The search turned up similar devices in 15 stores, including one on Lakeville Highway in Petaluma.
Company officials then notified law enforcement as well as Verifone, the company that provides the electronic payment systems for customers to pay by debit or credit card. Verifone confirmed that the devices posed a security risk. The company then conducted a thorough search of all 233 Lucky outlets in California and Nevada.
By all accounts, the company contacted everyone it needed to — everyone except customers.
"We actually at that point thought that we had prevented any data breaches," said Stephen Ackerman, chief financial officer of Save Mart Supermarkets, the corporate owner of Lucky's.
Even if it had prevented such a breach, didn't customers deserve the benefit of the doubt? Shouldn't they have received a direct warning through the media alerting them that a computer board designed to steal card data and track numbers had been up for who-knows-how-long at many Bay Area stores and that they should watch their bank accounts carefully?