Lucky Supermarket executives, outwitted by criminals using wireless technology to download customer financial information from self-checkout terminals in Petaluma and across the Bay Area, delayed notifying customers because they thought they'd prevented a security breach.
However, as officials took three weeks to diligently check each terminal at the company's 233 stores, criminals continued to access debit card and pin numbers and then began draining cash from bank accounts of unsuspecting Lucky customers.
"We actually at that point thought that we had prevented any data breaches," said Stephen Ackerman, chief financial officer of Lucky's corporate owner, Modesto-based Save Mart Supermarkets.
Most debit and credit card skimmers store data and then are physically retrieved by someone who downloads the information, he said.
Because Lucky officials had seized the devices, they believed that any data in them was secure, Ackerman said.
On Tuesday, reports from Petaluma residents who discovered unauthorized withdrawals from their bank accounts after shopping at Lucky continued to pour into the Petaluma Police Department and had swelled to 112, Petaluma Police Lt. Tim Lyons said. One person discovered six separate withdrawals Monday that totalled about $3,000, he said.
"People's accounts are still being accessed," Lyons said.
And more reports of suspicious bank withdrawals flooded the company's customer service hotline from people across the Bay Area, company officials said. Customer service workers fielded more than 1,500 calls Tuesday from people concerned about the breach.
Ackerman described the device as a computer board with memory chips that can read card data and track numbers entered into pin pads.
Officials eventually would learn that the devices appeared to transmit financial data using Bluetooth wireless technology.
He said a person could access data from the parking lot.
"It's unprecedented," said Ackerman.
A U.S. Secret Service financial crimes unit based in San Jose now is investigating what appears to be a widespread scheme. They sent the device for analysis to a Chicago unit with special technology skills, he said.
Lucky Supermarkets maintenance crews first noticed a suspicious device Nov. 3 in a self checkout terminal at a Mountain View store, company officials said.
It took several days for word to reach managers at the company's Modesto headquarters, Ackerman said.
A week later on Nov. 11, technicians began examining terminals at the company's stores across California and Nevada. They discovered out-of-place computer boards at 15 stores, including the Petaluma store on Lakeville Highway, and removed them that day.
On Nov. 14, Ackerman said he delivered a tampered unit to the investigation department of the manufacturer, Verifone.
Three days later, Verifone staff sent Ackerman an email with "a forensic report saying, &‘We think you have a problem,'" he said.
"At that point in time, we got everybody involved, we got law enforcement involved and called the Secret Service," Ackerman said.
The last suspicious device was removed Nov. 16 and by Nov. 22 technicians had checked all of the company's 233 stores. The computer devices had been installed in one terminal per store.
"At that time, we didn't necessarily know what the tampering involved. We didn't know what they were capturing and not capturing," said a Save Mart Supermarkets spokeswoman, Alicia Rockwell .
The next day, Nov. 23, the company posted an alert about the breach on its web site, which it updated to include all 23 stores Tuesday.
"We felt that, in the actions that we took and the guidance we were receiving by the authorities and the card companies, that we were handling this effectively," Rockwell said.
Petaluma police officials Tuesday continued to take reports and attempt to determine precisely when the unauthorized withdrawals began. They became aware of the problem on Saturday when at least seven complaints were filed. That was a month after the first device was discovered by Lucky workers.
Police are asking residents to review all bank statements from October to December. People should first report unauthorized withdrawals to their bank or credit union, then file a report with the police.
Lyons said people can bring copies of their bank statements to the police department.
Lyons said Petaluma victims over the past weekend reported a torrent of unauthorized withdrawals that were occurring in San Jose, San Mateo, Downey in Southern California and elsewhere.
Christine Carey, who moved to Petaluma about six months ago, said she was alerted by her bank, JP Morgan Chase.
Carey, 45, hadn't noticed a string of fees levied when someone was checking her balance from an ATM machine near Simi Valley until a Chase bank staff called her 10 a.m. Sunday to ask about suspicious activity.
Earlier that day, someone rang up four $2 charges by checking her account at a non-Chase ATM before $500 was withdrawn, said Carey, a sales analyst with Barbara's Bakery.
"I didn't make the connection until I saw the news broadcast, and I said .
.
. there it is," Carey said. Bank statements show Carey shopped at Lucky four times during the week of Nov. 1. The Lakeville Highway store is on her way home from work."I am disappointed and I have some bad feelings for Lucky because I wish they had been proactive," Casey said.She filed a claim with Chase and a bank official told her she should be reimbursed within a day or two."I'm sure the banks are insured, but someone ultimately is paying," Carey said. "And these people are getting away with it."
Bank statements show Carey shopped at Lucky four times during the week of Nov. 1. The Lakeville Highway store is on her way home from work.
"I am disappointed and I have some bad feelings for Lucky because I wish they had been proactive," Casey said.
She filed a claim with Chase and a bank official told her she should be reimbursed within a day or two.
"I'm sure the banks are insured, but someone ultimately is paying," Carey said. "And these people are getting away with it."
UPDATED: Please read and follow our commenting policy: