Aldi Offers Details about 11-State Debit Card ID Heist

New details are emerging that point to an expanding scope for the data breach that hit the supermarket chain Aldi, a story that first surfaced last week. Now, Aldi goes on the record and reveals more details about the operation, which may become the largest identity theft crime in retailing since the Hannaford Bros. first reported a massive breach in early 2008.

This much we know: thieves installed skimmers on POS units that enabled them to capture customer debit card IDs and passwords, and then use this information to make ATM withdrawals. 

Initial reports focused on a Chicago-based crime epicenter, but Aldi revealed new details that point to a much larger base of operation, possibly national in scope. 

So far Aldi reveals the following 11 states have been victimized by the ring: 
  • Connecticut (limited to greater Hartford area)
  • Georgia (limited to greater Atlanta area)
  • Illinois (limited to greater Chicago area) 
  • Indiana (limited to greater Indianapolis area)
  • Maryland
  • New Jersey
  • New York (limited to greater Rochester area and Lower Hudson Valley)
  • North Carolina (limited to greater Charlotte and Raleigh areas)
  • Pennsylvania (limited to greater Pittsburgh and Philadelphia areas)
  • South Carolina (limited to greater Charlotte area)
  • Virginia (limited to greater Washington, D.C. area)
The crime took place, according to the Aldi statement, from June 1 to August 30.

According to a statement released by Terry E. Pfortmiller, vice president of finance and administration for Aldi, "The tampered terminals were capable of capturing information such as name, card account number and PIN...The crime was immediately reported to federal law enforcement authorities, we began an investigation, and we conducted a thorough review of all stores nationwide and removed terminals we believe may have been affected.  In addition, we ensured that the relevant payment card brands were notified.  We also implemented additional security measures to prevent this type of crime from reoccurring."

The statement by Pfortmiller, which was addressed to customers, encourages them, if they suspect they have been victimized, to immediately contact their bank or payment card company, local law enforcement authorities, and request a credit report from the three national credit bureaus.

Aldi also apologized to customers and set up a toll-free number to call Monday through Friday between 9 a.m. CDT and 4:30 p.m. CDT.

One important thing Aldi did not do was report exactly which stores were hit by the POS skimmers, which would be of great service to customers worried about their debit card accounts. Nor did Aldi offer to contact customers who shopped at each of the victimized stores during the three-month period when the skimmers were installed to inform them about their potential risk. 
To view a copy of the Aldi statement click here.

Related Stories

Aldi Hit by Sophisticated Debit Card Fraudsters
This ad will auto-close in 10 seconds