Brian Krebs reports:
Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. Closer examination of the attack suggests that the company was but one of several dozen firms — including at least one credit card processor — hacked last year by the same criminal gang that infiltrated some of the world’s biggest data brokers.
Read more on KrebsOnSecurity.com. The reporting on the SecurePay breach is interesting because it looks like security somewhat fell through some cracks when Calpiancommerce.com acquired SecurePay’s assets from Pipeline Data, a now-defunct entity that had gone bankrupt in early 2013.
Update 1: Smucker’s February 27 notification to New Hampshire can be found here (pdf). Of note, they report:
On February 12, 2014, the Federal Bureau of Investigation notified Smucker that someone illegally accessed data files within the Smucker Online Store. While the investigation continues, initial findings indicate that the attacker installed malware in the Online Store environment in December 2012. The malware was active from approximately December 23, 2012 through January 28, 2014. Unfortunately, Smucker believes the malware allowed the unauthorized user access to certain customer personal information, including names, addresses, email addresses, phone, credit or debit card numbers, expiration dates, and verification codes.