4.2 Million Credit Cards Stolen from Grocery Store

by Pamela Mortimer

Nearly 1,800 cases of fraud have been reported as a result of 4.2 million credit and debit cards being exposed at an east coast supermarket chain. Hannaford Bros. announced on Monday that the breach affected all of its 165 stores located in the northeast as well as 106 Sweetbay stores located in Florida. Also affected were a small number of independent grocery stores that sell Hannaford products.

The announcement detailed that the information from the credit and debit cards were breached during the authorization process during customer check out. To date, 1,800 cases of fraud have been reported. Hannaford assured customers that no personal data is maintained from the cards during transactions, so names, addresses and telephone numbers have not been related to the unique card numbers.

Reports state that Hannaford was made aware of the breach on February 27. Investigators discovered that the data breach had been going on for some time, beginning December 7. The breach wasn't contained until March 10, according to Carol Eleazer, Hannaford's Vice President of Marketing in Scarborough.

"We have taken aggressive steps to augment our network security capabilities," Hannaford president and CEO Ronald C. Hodge said. "Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions."

The company urges its customers to continue to monitor their credit and debit cards for suspicious transactions and report any problems to authorities.

The U.S. Secret Service, investigators of electronic crimes such as data infiltration, has confirmed that it is investigating the matter but declined to comment on "the scope of the crime".

"The company did contact us, and we are investigating," said Secret Service spokesman Malcolm Wiley.

Visa has not made any comment on the breach, although MasterCard, the second-biggest U.S. credit card association, issued a statement before the Hannaford disclosure: "Because this incident is the subject of an ongoing law enforcement investigation, we cannot disclose additional details regarding the incident or otherwise comment at this time."

Mark Walker, attorney for the Maine Bankers Association, stated that the association sent an advisory warning to its member banks on Friday after learning about the breach. There were only a few who had reported suspicious activity involving their credit and debit cards, Walker said.

"I had expected there would be more than we've heard of," Walker said. "But it's still too early for us to tell."

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, openly criticized Hannaford's delay in notifying the public of the source of the breach.

"Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs," Spitzer said. "We've been engaged in a dialogue for a couple years now about changing this rule.... Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer."

Paul Stephens, a spokesman for the consumer advocacy organization Privacy Rights Clearinghouse, said the delay in disclosure "puts consumers in a difficult position because they have no way of knowing whether their accounts may have been impacted or not".

Eleazer has defended Hannaford's decision.

"We moved with all deliberate speed to get out to customers with information that we could have confidence in," she said. "This is a complex undertaking."