The attackers used malware to capture sensitive data

Mar 5, 2014 07:47 GMT  ·  By

The systems of Smucker’s – the Ohio-based company that makes fruit spreads, beverages, ice cream topping and other similar products – have been hacked. The company has been forced to shut down its online store following the incident.

Smucker’s says the attackers have gained “illegal and unauthorized” access to files on the online store servers. They could have accessed customer information, including names, addresses, email addresses, phone numbers, credit and debit card numbers, their expiration dates and verification codes.

“The unauthorized user utilized a sophisticated scheme to illegally obtain this personal information as it was being entered during the online checkout process,” Richard Smucker, the company’s CEO, wrote in a statement posted on the Smucker’s online store.

“We are extremely disappointed this incident occurred and sincerely apologize for any inconvenience this may cause. Please be assured, we continue to thoroughly investigate this matter with federal authorities, and have taken steps to rectify the cause of this incident with the Online Store website,” he added.

In a letter sent out to impacted customers at the end of February, the company revealed that they discovered the breach on February 12, 2014. People who have made purchases in the online store between December 2012 and January 2014 are impacted.

The attackers have relied on a piece of malware that’s designed to steal the information as it is being entered by users during the online checkout process.

Smucker’s is offering affected individuals a full package of credit protection services for two years.

The cybercriminals who breached Smucker’s appear to be part of the same group that hacked into the systems of Adobe, the National White Collar Crime Center, and various data brokers such as Dun & Bradstreet, Kroll and LexisNexis.

Brian Krebs, who has investigated all these attacks, says the cybercriminals in many cases target websites running vulnerable versions of ColdFusion.

Krebs says the same group has also targeted the Systems of SecurePay, a credit card processing company. SecurePay, which has been acquired by Calpiancommerce.com back in early 2013, moved online operations to a new data center in October 2013.

However, it appears the thieves managed to steal around 5,000 card transaction records while SecurePay operations were still at a data center in New York. The company that owned SecurePay at the time, Pipeline Data, was running outdated software on its servers.

SecurePay’s chief operating officer, Tom Tesmer, told Krebs that a web application firewall alert was triggered in the summer of 2013 and the administrators of the New York data center were made aware of it, but apparently they didn’t take proper action.