file

Consumer

Security Advisory

For Immediate Release

SUPERVALU DISCOVERS MALWARE ON SOME OF ITS POINT OF SALE SYSTEMS; ENHANCED PROTECTIVE TECHNOLOGY BELIEVED TO HAVE SIGNIFICANTLY LIMITED THE RISK OF DATA THEFT
 
Eden Prairie, Minnesota, September 29, 2014 — SUPERVALU INC. (NYSE: SVU) previously announced, on August 14, 2014, that it had experienced a criminal intrusion into the portion of its computer network that processes payment card transactions at some of its retail food stores, including some of its associated stand-alone liquor stores (but not including its Save-A-Lot stores). The Company further announced at that time that, by means of the criminal intrusion, some types of cardholder data may have been stolen from payment cards used at the stores in question during a period that began no earlier than June 22, 2014 and ended no later than July 17, 2014. While the investigation of that incident remains ongoing, the Company still has not determined that any of such cardholder data was in fact stolen by the intruder during that incident.
 

The Company has recently discovered that, in what it believes to have been late August or early September 2014, an intruder installed different malware into the portion of its computer network that processes payment card transactions at some of its Shop ’n Save, Shoppers Food & Pharmacy and Cub Foods owned and franchised stores, including some of its associated stand-alone liquor stores. The Company believes this was a separate intrusion from the one announced on August 14. Upon recognition of this intrusion, the Company took immediate steps to secure the affected part of its network and believes it has eradicated the malware. An investigation of this recently discovered incident is underway.

Importantly, the Company believes that its enhanced protective technology significantly limited this recently discovered malware’s ability to capture data from payment cards where the malware was installed. Specifically, although the investigation is ongoing, SUPERVALU believes that this malware did not succeed in capturing data from any payment cards used at any stores other than at some checkout lanes at four Cub Foods franchised stores that are discussed below. Even as to the checkout lanes at these four stores, the Company has made no determination that any cardholder data was in fact stolen by the intruder.

Moreover, although the investigation is ongoing, the Company believes this recently discovered malware was not installed at, and did not affect, any of its Farm Fresh or Hornbacher’s stores, any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the Company through its Independent Business network (other than the affected Cub Foods franchised stores). 

The Company promptly notified federal law enforcement authorities of this criminal incident and is cooperating in their efforts to investigate the matter and identify those responsible. This press release has not been delayed as a result of law enforcement investigation. SUPERVALU has also notified the major payment card brands of this incident. 

“We care greatly about our customers, and the safety of their personal information will continue to be a top priority for us,” said President and CEO Sam Duncan. “We’ve taken measures to install enhanced protective technology that we believe significantly limited the ability of this malware to capture payment card data and we will continue to make these investments going forward.”

SUPERVALU continues to take actions to implement further security enhancements and the Company is committed to continuing to improve its information security safeguards to protect its stores against these types of attacks.

Although the investigation is ongoing, SUPERVALU believes that the recently discovered malware potentially captured data from payment cards used at some checkout lanes in four franchised Cub Foods stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, Minnesota, where implementation of the enhanced protective technology had not yet been completed. For these four stores, SUPERVALU believes that the malware may have been successful in capturing account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some checkout lanes during the period of August 27 (at the earliest) through September 21 (at the latest), 2014; however, the Company has made no determination that any cardholder data was in fact stolen by the intruder. 

Given the continuing nature of the investigation, it is possible that time frames, locations, at-risk data, and/or other facts in addition to those described above will be identified in the future.  

Although SUPERVALU has not determined that any cardholder data was in fact stolen by the intruder at the four franchised Cub Foods stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, MN, the Company is offering customers who used their payment cards at those four stores during the relevant time period 12 months of complimentary consumer identity protection services through AllClear ID. SUPERVALU has established a call center to answer customer questions about the intrusions and the identity protection services being offered. This call center will be staffed Monday through Saturday from 8 a.m. to 8 p.m. Central time and can be reached at (855) 731-6018. Customers can also visit www.supervalu.com under the Consumer Security Advisory section for additional information about this intrusion and the intrusion announced on August 14 and the complimentary consumer identity protection services being offered through AllClear ID.

Customers are not responsible for counterfeit fraudulent charges on their credit cards or debit cards that are timely reported. Accordingly, if customers become aware of such activity, they should contact their issuing bank immediately. Below is a “Consumer Identity Protection Reference Guide” that details the steps customers can take to protect their information against potential misuse, including the option to place a fraud alert or a security freeze on their credit file. SUPERVALU urges customers to be vigilant and closely review or monitor their bank and credit card statements, credit reports and other financial information for any evidence of identity theft or other unusual activity. The Company reminds its customers that under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To obtain a free credit report, customers should visit www.annualcreditreport.com or call, toll free, (877) 322-8228.

Some stores owned and operated by Albertson’s LLC and New Albertson’s, Inc. experienced a related criminal intrusion, also in what is believed to have been late August or early September 2014.  For more information about the intrusion affecting Albertson’s LLC and New Albertson’s, Inc. stores, please visit albertsons.com, acmemarkets.com, jewelosco.com, or shaws.com. SUPERVALU provides information technology services to these Albertson’s LLC and New Albertson’s, Inc. stores pursuant to transition services agreements, and we have been working together to respond to the newly discovered intrusion into their stores. SUPERVALU believes that any losses incurred by Albertson’s LLC or New Albertson’s, Inc. as a result of the intrusions affecting their stores would not be SUPERVALU’s responsibility.

SUPERVALU continues to maintain insurance for cyber threats, which it believes should mitigate the financial effect on SUPERVALU of these and the previously announced intrusions, including claims made or that might be made against the Company based on these intrusions. Based on currently available information, SUPERVALU management does not believe that the ultimate outcome of these intrusions, including any related lawsuits, claims or other proceedings that have been or might be initiated against the Company, will have a material adverse impact on the Company’s consolidated results of operations, cash flows or financial position. 

In the event the Company learns additional information or makes further findings regarding the intrusions that it believes are material to SUPERVALU and its stockholders, SUPERVALU will update its disclosures accordingly.

About SUPERVALU INC.
SUPERVALU INC. is one of the largest grocery wholesalers and retailers in the U.S. with annual sales of approximately $17 billion. SUPERVALU serves customers across the United States through a network of 3,320 stores composed of 1,805 independent stores serviced primarily by the Company’s food distribution business, 1,325 Save-A-Lot stores, of which 931 are operated by licensee owners; and 190 traditional retail grocery stores (store counts as of June 14, 2014). Headquartered in Minnesota, SUPERVALU has approximately 35,000 employees. For more information about SUPERVALU visit www.supervalu.com.

CAUTIONARY STATEMENTS RELEVANT TO FORWARD-LOOKING INFORMATION FOR THE PURPOSE OF “SAFE HARBOR” PROVISIONS OF THE PRIVATE SECURITIES LITIGATION REFORM ACT OF 1995.

Except for the historical and factual information contained herein, the matters set forth in this news release, particularly those pertaining to SUPERVALU’s expectations, guidance, or future operating results, and other statements identified by words such as “believes,” “estimates,” “expects,” “projects,” “plans” and similar expressions are forward-looking statements within the meaning of the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties that may cause actual results to differ materially, including claims that may be brought by third parties related to the intrusions; actions by government agencies; results from the ongoing forensic investigation of the intrusions, which could indicate that the scope of the intrusions was broader than initially identified; the effect on our relationships with Albertson’s LLC and New Albertson’s, Inc., the nature and extent of their losses from the intrusions and our liability under the transition services agreements for such losses; adequacy of insurance; disruption of information technology systems; fluctuations in our common stock price and other risk factors relating to our business or industry as detailed from time to time in SUPERVALU’s reports filed with the SEC. You should not place undue reliance on these forward-looking statements, which speak only as of the date of this news release. Unless legally required, SUPERVALU undertakes no obligation to update or revise publicly any forward-looking statements, whether as a result of new information, future events or otherwise.

For Investors:
Steve Bloomquist
952-828-4144
Steve.bloomquist@supervalu.com

For Media:
Jeff Swanson
952-903-1645
Jeffrey.swanson@supervalu.com

CONSUMER IDENTITY PROTECTION REFERENCE GUIDE
In addition to carefully reviewing their financial institution and credit card statements, SUPERVALU recommends that its customers consider these additional steps:

Security Freeze.  Some state laws allow you to place a security freeze on your credit reports.  This would prohibit a credit reporting agency from releasing any information from your credit report without your written permission.  You should be aware, however, that placing a security freeze on your credit report may delay, interfere with or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing or other services.

If you believe that you have been a victim of identity theft and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze on your credit reports.  In all other cases, a credit reporting agency may charge you up to $5.00 each time you place, temporarily lift or permanently remove a security freeze.

To place a security freeze on your credit report, you must send a written request to each of the three credit reporting agencies noted below, which must include the following information: (1) Full name (including middle initial as well as Jr., Sr., II, III, etc.); (2) Social Security Number; (3) Date of birth; (4) Addresses for the prior five years; (5) Proof of current address; (6) A legible copy of a government issued identification card; (7) A copy of any relevant police report, investigative report, or complaint to a law enforcement agency concerning identity theft; and (8) If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only).  Do not send cash through the mail. 

Equifax
P.O. Box 740241
Atlanta, Georgia 30374-0241
877-478-7625 www.equifax.com

Experian
P.O. Box 9532
Allen, Texas 75013
888-397-3742 www.experian.com

TransUnion Fraud Victim Assistance Division
P.O. Box 6790
Fullerton, California 92834-6790
800-680-7289 www.transunion.com

Under some state laws, you have the right to obtain a copy of any police report regarding the intrusion.  Please note that at this time, SUPERVALU has not filed any such police report.

Free Credit Reports.  To order your free credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.  The three national credit bureaus provide free annual credit reports only through the website, toll-free number or request form.

When you receive your credit report, review it carefully.  Look for accounts you did not open.  Look in the “inquiries” section for names of creditors from whom you haven’t requested credit.  Some companies bill under names other than their store or commercial names.  The credit bureau will be able to tell you when that is the case.  Look in the “personal information” section for any inaccuracies in your information (such as home address and Social Security number).  If you see anything you do not understand, call the credit bureau at the telephone number on the report.  Errors in this information may be a warning sign of possible identity theft.  You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected.  If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing.

If there is information on your credit report that the credit bureau cannot explain, you should call the creditors involved.  Information that can’t be explained also should be reported to your local police or sheriff’s office because it may signal criminal activity.

In addition, if you detect any incident of identity theft or fraud, promptly report the incident to your local law enforcement authority, your state Attorney General and the FTC.  If you believe your identity has been stolen, the FTC recommends that you take these additional steps:

· Close the accounts that you have confirmed or believe have been tampered with or opened fraudulently.  Use the FTC’s ID Theft Affidavit (available at www.ftc.gov/idtheft) when you dispute new unauthorized accounts.

· File a local police report.  Obtain a copy of the police report and submit it to your creditors and any others that may require proof of the identity theft crime.

You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft/

Fraud Alerts.  To protect yourself from possible identity theft, consider placing a fraud alert on your credit file.  A fraud alert helps protect you against the possibility of an identity thief opening new credit accounts in your name.  When a merchant checks the credit history of someone applying for credit, the merchant gets a notice that the applicant may be the victim of identity theft.  The alert notifies the merchant to take steps to verify the identity of the applicant.  You can place a fraud alert on your credit report by calling any one of the toll-free fraud numbers provided below.  You will reach an automated telephone system that allows you to flag your file with a fraud alert at all three credit bureaus.

Equifax
P.O. Box 740241
Atlanta, Georgia 30374-0241
877-478-7625 www.equifax.com

Experian
P.O. Box 9532
Allen, Texas 75013
888-397-3742 www.experian.com

TransUnion Fraud Victim Assistance Division
P.O. Box 6790
Fullerton, California 92834-6790
800-680-7289 www.transunion.com