Aldi data breach shows payment terminal holes

Thieves hit point-of-sale terminals in Aldi grocery stores in 11 states

A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks.

Batavia, Ill.-based Aldi, which operates 1,100 stores in 31 states, disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August.

The hackers gained access to various debit card data, such as name, account data and personal identification numbers (PINs) of an undisclosed number of customers, the company said.

So far, officials said that hacked terminals were discovered at Aldi stores in Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, and Virginia. All the hacked terminals have been replaced, the company said.

More than 1,000 Aldi shoppers in the Chicago area and from Indianopolis have already reported fraudulent activities related to breaches at Aldi stores. There have been similar reports in other states as well. Analysts estimate that there could be some tens of thousands victims.

Analysts said the number of payment terminals and the widespread area affected by the Aldi breach makes it unusual. It comes at a time of growing concerns about the security of payment terminals.

Typically, payment terminal breaches are localized because hackers must physically access each device to manually tweak or replace the internal electronics.

The geographic breadth of the Aldi attack suggests intricate planning, said Jim Huguelet, a Sugar Grove, Ill.-based consultant, who advises clients on payment security issues. "It looks like this was the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices" designed to steal payment data, he said.

The theft of the PIN data suggests that the crooks most likely used a transparent overlay of some type so that that customer PIN numbers could be captured before it was encrypted, Huguelet said. It is also more than likely that the rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location such as a parking lot.

The tampering likely occurred over a period of several months, he said.

Colin Sheppard, director of incident response at Trustwave, which provides security auditing services to large retailers, said that such attacks against U.S. retailers have grown over the past couple of years, as criminals are finding the tactic a relatively easy way to obtain magnetic stripe and PIN data.

Also driving the trend is the easy and growing availability of sophisticated counterfeit payment terminal kits designed for use in such schemes he said. Many of the rogue kits are offer virtually the same appearance and functionality as terminals used in stores. The rogue devices also support Bluetooth and GSM to enable quick, wireless transfer of stolen payment card data, he said.

"There are certainly rings of fraudsters, largely from Eastern Europe, that are descending on the streets of America, literally traveling up and down highways and inserting skimming devices on ATM machines," said Avivah Litan, an analyst with Gartner. "So I can certainly believe that these same types of fraudsters are organized to attack multiple stores in multiple states simultaneously."

In Aldi's case, the scheme likely started with the theft of just one point of sale device, she said, "They figured out how it worked, how to tamper with it and how to steal the PINs," she added. The next step was to hire people to take part in the mass attacks, Litan said.

"I'd expect to see more of this type of attack in the coming year," she said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hardware systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Jaikumar Vijayan

Jaikumar Vijayan

Computerworld (US)
Show Comments


Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >



Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?