One of the largest food wholesalers in the USA is warning its customers that their credit card details may have been stolen.

Restaurant Depot – which also owns the Jetro cash and carry chain – says in a letter to customers posted on its website  that people who used credit or debit cards in its stores between 21 September and 18 November may have lost data including names, card numbers, expiry dates and verification codes.

Media reports say that 'cyber criminals’ injected malware into Restaurant Depot’s computer system that processes data from customers' credit and debit cards. This software stored the card data for some time and then sent it to a server located in Russia.

The data thefts may have taken place over several weeks but only came to light recently when customers complained that money was mysteriously disappearing from their accounts.

StarForce Technologies, a leading Russian-based vendor of software protection tools, says that some basic security may have prevented this data loss.

Dmitry Gusev, deputy marketing director deputy of StarForce, said: "Cyber-thieves must investigate the object of attack, software system or single program before they are ready to inject malware into it.

"All software has bugs and security holes which could be exploited are like an open gates for spyware. To prevent a hacker from analysing software we can protect its code, obfuscate algorithms and make it a real nightmare for hacker to understand how this piece of software works and where there are security holes." 

"It is not necessary to secure the whole program but only those modules which are most important, such as money transferring or personal data processing."

Unfortunately, this is not the first time that card data has been stolen with the help of injected spyware. For example the infamous Zeus virus made its owner $70 million richer. In 2011, US police disabled a cyber-criminal network which had operated for several years and stolen around $100 million.

The letter to customers from Restaurant Depot says: "Computer forensic investigators we hired to investigate the incident currently believe that unauthorized persons obtained the names of cardholders, credit or debit card numbers, card expiration dates, and verification codes that were on the magnetic stripes of credit and debit cards used at our stores from September 21 through November 18, 2011.

"We learned on November 9 that some of our customers had experienced credit card fraud after they used their cards at one of our stores. We hired Trustwave, a leading computer forensic firm, on November 10 to investigate. 

"By November 18, Trustwave investigators had determined how the incident occurred and had taken steps to block further disclosures. At this time, Trustwave investigators continue their investigation and they will take any necessary additional steps to eliminate the threat of any further disclosures. Trustwave and our Information Technology staff reviewed the safeguards we use to protect card information and made appropriate changes to improve the security measures we use to protect card information."