Security Breach

Frequently Asked Questions About Security Breach

WHAT HAPPENED?

A sophisticated security attack occurred using malware (illegal software) planted on Sprouts Farmers Market’s point of sale system, affecting credit card terminals at 19 of the company’s 151 stores. The hack used the illegal software to attempt to obtain credit card and debit card information (no PIN numbers were taken) used by Sprouts customers when making purchases at the 19 stores. After a thorough investigation conducted by the company along with a nationally recognized data security firm, we are unable at this point to confirm with certainty whether any accounts were in fact compromised.

WHAT INFORMATION WAS TAKEN?

The account information that may have been compromised is limited to certain credit card and check/debit card account numbers. No PIN codes were vulnerable to the attack. No social security numbers or dates of birth were included.

WHEN DID THE BREACH HAPPEN?

The attack occurred between January 25 and January 29, 2013 depending on the particular store. See question 9 below for specific store information.

WHO IS RESPONSIBLE FOR THE ATTACK?

We aren’t sure yet. We are working with skilled computer forensics experts and law enforcement to determine the origin of the attack. If it is possible for Sprouts to learn the identity or location of the hacker, we will share that information with the appropriate legal authorities to enable them to pursue those responsible. We hope the hacker will be brought to justice.

HOW DID SPROUTS FIND OUT?

Sprouts has extensive security measures in place, which include continuous monitoring of our electronic systems for viruses, malware and hacking attempts. The company discovered the intrusion within days of when the breach began and quickly took steps to prevent the illegal software from functioning.

WHAT DID SPROUTS DO ABOUT THE ATTACK?

When Sprouts became aware of the attack, it took prompt action to prevent the illegal software from functioning. Sprouts takes a proactive approach to its data security procedures. After confirming that the illegal software was no longer functioning, Sprouts engaged a data security firm to strengthen its point of sale procedures and add additional protections for customer information in all of its 151 stores. As one of those additional protections, Sprouts was able to quickly identify and replace the affected credit card terminals. In addition, Sprouts contacted law enforcement.

Sprouts is working closely with law enforcement, banks and payment card issuers to identify accounts that may have been compromised, to ensure that any customers affected by the data attack are identified and notified. Sprouts will also maintain its close working relationships with credit card companies and banks to ensure that Sprouts continues to update its security protocols.

DOES THIS MEAN SOMEONE STOLE MY IDENTITY/CARD NUMBER?

Not necessarily. Based on its investigation, Sprouts believes that certain credit card and debit card numbers but not PIN numbers used at the 19 stores affected by the illegal software may have been acquired by unauthorized third parties, but at this point is unable to confirm whether accounts were, in fact, compromised.

If payment card information was successfully taken, it is possible that those account numbers may be used for fraudulent purchases, which is why it is so important to carefully monitor your account statement. Sprouts is working with law enforcement and the credit card companies involved to determine if accounts are were affected and, if so, which accounts those are.

HOW MANY PEOPLE ARE AFFECTED?

We believe that the incident affected fewer than 2% of customers who used payment cards in Sprouts stores in January. We are working with law enforcement and the card issuers to learn exactly how many accounts may have been impacted.

WHICH STORES WERE AFFECTED, AND WHEN?

Arizona Stores

Chandler, AZ (Dobson & Ray) starting 1/25/2013 and ending 1/29/2013
Mesa, AZ (Brown & Gilbert) starting 1/25/2013 and ending 1/29/2013
Peoria, AZ (83rd Ave. & Thunderbird) starting 1/25/2013 and ending 1/29/2013
Phoenix, AZ (19th Ave. & Northern) starting 1/25/2013 and ending 1/29/2013
Phoenix, AZ (28th St. & Indian School) starting 1/25/2013 and ending 1/29/2013
Glendale, AZ (51st Ave.& Peoria) starting 1/25/2013 and ending 1/29/2013
Mesa, AZ (Southern & Higley) starting 1/25/2013 and ending 1/29/2013
Oro Valley, AZ (Oracle & Magee) starting 1/25/2013 and ending 1/29/2013
Surprise, AZ (West Point Pkwy & Bell) starting 1/26/2013 and ending 1/29/2013
Avondale, AZ (Dysart & McDowell) starting 1/26/2013 and ending 1/29/2013
Gilbert, AZ (Val Vista & Williams Field) starting 1/26/2013 and ending 1/29/2013
Chandler, AZ (Queen Creek & Alma School) starting 1/26/2013 and ending 1/29/2013
Glendale, AZ (57th Ave. & Bell) starting 1/28/2013 and ending 1/29/2013

California Stores

El Cajon, CA (El Cajon & 2nd Street) starting 1/26/2013 and ending 1/29/2013
San Marcos, CA (Las Posas & Hwy 78) starting 1/26/2013 and ending 1/29/2013
Torrance, CA (Pacific Coast Hwy & Anza) starting 1/26/2013 and ending 1/29/2013
Claremont, CA (Foothill Blvd & Mountain Ave) starting 1/26/2013 and ending 1/29/2013
Irvine, CA (Alton & Paseo) starting 1/26/2013 and ending 1/29/2013
Thousand Oaks, CA (Lynn & Hillcrest) starting 1/27/2013 and ending 1/29/2013

WHAT SHOULD I DO NOW?

If you used your card at one of the 19 stores during the affected time period, you should carefully monitor your account statements to be sure that any charges to your account are your purchases. If you see any suspicious or fraudulent activity on your account, notify your credit card company or bank immediately.

WHO SHOULD I CONTACT IF I AM CONCERNED ABOUT FRAUD?

You can notify your card issuer (the credit card company or bank) and report the fact that your card was used at one of the affected stores during the attack period. You may be able to “block” your card. Your card issuer may decide to cancel your card and issue a new card to you, or you may want to request a new card.

WILL I BE CHARGED FOR ANY UNAUTHORIZED CHARGES ON MY CARD?

If you used your credit card, you should not be responsible for any unauthorized charges, as long as you report them to your card issuer promptly. Each debit card issuer has its own policy with respect to fraudulent charges, but most banks limit your responsibility to $50 at most. Many issuers will not hold you responsible for any fraudulent charges, as long as you report the unauthorized card activity promptly. You must report any unauthorized charges to your card issuer promptly to avoid liability.

DO I NEED TO CONTACT LAW ENFORCEMENT?

No. Sprouts and your card issuer are working together with law enforcement in response to this incident. You need only monitor your own account, and report any suspicious charges to your card issuer. Your card issuer will take it from there.

CAN SOMEONE STEAL MY IDENTITY OR OPEN NEW ACCOUNTS IN MY NAME?

Generally no. In order to open a credit account in your name, someone would usually need more information than is available from a credit card terminal at the store. Someone could, however, try to make purchases using your card. That is why it is so important that you carefully review your statements to confirm that all of the activity shown is yours.

IS IT SAFE TO USE MY CREDIT CARD?

Yes. Sprouts takes its customers’ privacy very seriously. Sprouts works with its vendors and major credit card companies to ensure that it is using appropriate security measures, both electronic and physical. Sprouts continues to monitor its systems and security and is confident that its customers may safely use their credit cards and debit cards in its stores.

WHERE CAN I GET ADDITIONAL INFORMATION?

You can visit our website at www.sprouts.com/securityalertfaqs or you can contact Sprouts at 1-866-890-8949 between 9:00 AM – 5:00 PM MST every day.

In addition, the Federal Trade Commission has helpful information for consumers concerned about protecting their information on its website at http://www.consumer.ftc.gov/features/feature-0014-identity-theft.