RaceTrac Dealing With Data Breach

Revelation of skimming activity that targeted high-profile chain should spark security talk

Angel Abcede, Senior Editor/Tobacco, CSP

Greg Lindenberg, Editor, CSP


ATLANTA -- The revelation that well-known industry retailer RaceTrac Petroleum experienced a year-long breach that began in March 2012 and involved millions of dollars will have serious ramifications in gas station and convenience store company boardrooms across the country, according to the founder of a major risk-assessment firm.

The breach was made public when Manhattan District Attorney Cyrus Vance Jr. released a statement Jan. 21 that 13 individuals were indicted in an alleged data-skimming scheme said to involve Raceway and RaceTrac stations in Georgia, Texas and South Carolina and $2.1 million in stolen and laundered money.

Atlanta-based RaceTrac confirmed for CSP Daily News that it did fall victim to such skimming activity, with the culprits "using Bluetooth enabled devices to download stolen consumer data," said Ashleigh Collins, a spokesperson for the 670-store chain.

She said RaceTrac implemented proprietary procedures to detect and deter skimming issues, and "it was thanks to these procedures that we were able to identify the illegal activity and take action against the alleged culprits."

In a statement, Collins said: "RaceTrac is assisting the Manhattan district attorney's office with its case against 13 defendants for allegedly stealing victims' banking information with skimming devices.

"RaceTrac guests can be assured that we take the security of their personal information seriously. Data theft is pervasive, and like retailers everywhere, we are constantly working with financial institutions, credit-card companies and law enforcement to evaluate and update our security measures to keep guests protected. We want to make shopping with us enjoyable, easy--and safe.

"RaceTrac has implemented proprietary procedures to detect and deter this type of illegal activity to better protect our guests and assist law enforcement. We do this--and encourage other retailers to do the same--to better protect our guests and assist law enforcement. We will continue to proactively protect our guests' personal information and are working with authorities regarding this ongoing legal matter."

When asked to detail what measures RaceTrac has put in place to deter further breaches, Collins responded, "From implementing the latest pump-security technology, to on-the-ground efforts at our stores, RaceTrac is confident that our security procedures allow us to identify illegal activity, cease the activity and immediately notify law enforcement while actively working with authorities during their investigation."

When asked how many cardholders were affected and if RaceTrac informed them about the breach, Collins said the chain is adhering to all Payment Card Industry (PCI) obligations and applicable state laws, and fortunately has not been subject to any fines as of yet.

"If RaceTrac--a premiere merchant that you know has worked on data security--[and can fall victim] to direct attacks, what does it mean for everyone else?" asked Rick Dakin, CEO and cofounder of Coalifire, a Louisville, Colo.-based risk assessment firm. "It's raising serious boardroom questions."

Dakin told CSP Daily News that his firm is conducting its own study to assess merchant risk and gauge their current level of concern regarding data security. Thus far, he describes the climate as "unsettled." With news of other major retailers falling victim--most recently Minneapolis-based Target and Dallas-based Neiman Marcus--Dakin said operators are wondering if the security programs they're following are good enough.

"They're following security programs set by banks … not c-stores or other retailers," Dakin said. "The focus of a lot of data security today is to protect credit-card transactions and reduce fraud [tied to] banks. But [for retailers], it doesn't get to the heart of the matter … what are their assets and are they protecting them commensurate to what's needed?".

When asked why he believes no one heard about the RaceTrac breach for nearly a year when other well-publicized breaches made the news sooner, Dakin said while averting embarrassment or raising public concern is certainly an issue, in many cases, retailers are complying with law enforcement.

"When it involves skimming where there's physical evidence like fingerprints, you may not hear about it because law enforcement doesn't want to tip their hands," Dakin said. "For highly ethical companies, you bet they're notifying their customers. But take the Target case for instance. They weren't the only retailer involved. You don't hear other names, [most likely] for those reasons."

Another unfortunate reason could simply be the sheer number breaches that actually occur these days. "The joke is, if you don't lose a million cards, you don't make The Wall Street Journal," Dakin said. "Hackers are getting quite good."

"We encourage all retailers to work together," said Collins, "leveraging best practices from NACS and other state trade associations to prevent the theft of consumers' personal information."

RaceTrac operates more than 365 RaceTrac and licenses more than 300 Raceway locations in Georgia, Florida, Louisiana and Texas. In January 2012, RaceTrac introduced its new 6,000 square foot store design, featuring 24-hour Swirl World frozen yogurt, fresh salads and sandwiches, up to 24 fueling stations and more than 4,000 items.