Hannaford's security breach: credit/debit card info at risk

[KBCraig]

http://wbztv.com/local/retail.data.breach.2.678784.html

Mar 17, 2008 5:47 pm

Hannaford Bros Supermarkets Hit By Big Data Breach

BOSTON (WBZ) ? A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

No personal data such as names, addresses or telephone numbers were divulged -- just account numbers.

Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn't contained until March 10, said Carol Eleazer, Hannaford's vice president of marketing in Scarborough.

"We have taken aggressive steps to augment our network security capabilities," Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. "Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions."

The company urged its customers to monitor their credit and debit cards for unusual transactions and report any problems to authorities.

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it's investigating but declined to comment on the scope of the crime.

"The company did contact us, and we are investigating," said agency spokesman Malcolm Wiley.

MasterCard, the second-biggest U.S. credit card association after Visa, issued a statement before Hannaford's disclosure: "Because this incident is the subject of an ongoing law enforcement investigation, we cannot disclose additional details regarding the incident or otherwise comment at this time."

Calls to Visa were not returned.

Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said.

"I had expected there would be more than we've heard of," Walker said. "But it's still too early for us to tell."

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, criticized the delay in public notification of the source of the breach.

"Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs," Spitzer said. "We've been engaged in a dialogue for a couple years now about changing this rule.... Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer."

Paul Stephens, of the San Diego-based consumer advocacy organization Privacy Rights Clearinghouse, said the delay in disclosure "puts consumers in a difficult position because they have no way of knowing whether their accounts may have been impacted or not."

Eleazer defended Hannaford's actions.

"We moved with all deliberate speed to get out to customers with information that we could have confidence in," she said. "This is a complex undertaking."

Hannaford is advising customers to take the following steps:

Customers should carefully review their financial institution and credit card statements, and immediately contact their credit card company or issuing bank with any questions or concerns about individual charges.

Customers with questions may call Hannaford's customer assistance line at 866-591-4580.

[41mag]

Just another reason to go to cash only.   

[Raineyrocks]

http://wbztv.com/local/retail.data.breach.2.678784.html

Mar 17, 2008 5:47 pm

Hannaford Bros Supermarkets Hit By Big Data Breach

BOSTON (WBZ) ? A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

No personal data such as names, addresses or telephone numbers were divulged -- just account numbers.

Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn't contained until March 10, said Carol Eleazer, Hannaford's vice president of marketing in Scarborough.

"We have taken aggressive steps to augment our network security capabilities," Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. "Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions."

The company urged its customers to monitor their credit and debit cards for unusual transactions and report any problems to authorities.

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it's investigating but declined to comment on the scope of the crime.

"The company did contact us, and we are investigating," said agency spokesman Malcolm Wiley.

MasterCard, the second-biggest U.S. credit card association after Visa, issued a statement before Hannaford's disclosure: "Because this incident is the subject of an ongoing law enforcement investigation, we cannot disclose additional details regarding the incident or otherwise comment at this time."

Calls to Visa were not returned.

Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said.

"I had expected there would be more than we've heard of," Walker said. "But it's still too early for us to tell."

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, criticized the delay in public notification of the source of the breach.

"Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs," Spitzer said. "We've been engaged in a dialogue for a couple years now about changing this rule.... Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer."

Paul Stephens, of the San Diego-based consumer advocacy organization Privacy Rights Clearinghouse, said the delay in disclosure "puts consumers in a difficult position because they have no way of knowing whether their accounts may have been impacted or not."

Eleazer defended Hannaford's actions.

"We moved with all deliberate speed to get out to customers with information that we could have confidence in," she said. "This is a complex undertaking."

Hannaford is advising customers to take the following steps:

Customers should carefully review their financial institution and credit card statements, and immediately contact their credit card company or issuing bank with any questions or concerns about individual charges.

Customers with questions may call Hannaford's customer assistance line at 866-591-4580.

  I just freaking went grocery shopping there today!  Your right 41mag, cash is better, damn!

[KBCraig]

The Union Leader article (not significantly different, but edited for local content):

http://www.unionleader.com/article.aspx?headline=Data+breach+hits+Hannaford&articleId=89ccf5cc-a246-4558-879a-585d024d098f

[Puke]

Debit cards should have a system where you have to approve the charge within a day or so. I check my online bak site for transactions once a week to make sure nothing shows up that I'm not aware of.

[David]

If it is rang in as a debit, the cash is immediantly taken from your account.  The problem is they can be rang in as credit as well, and it will put a hold on your money, but the actual transaction clears sometime later, sometimes a few days. 

[Raineyrocks]

Dummy me!  I had to use a credit card with a big amount available because we were waiting for Rick's paycheck from his old job he went back to and I figured I'll just pay the whole grocery bill when the credit card is due.  I'll check, I always do anyway!

[Raineyrocks]

Thanks for posting the article KB!   I forgot to thank you before at least now I know to be on the lookout.

[JonM]

I only tend to use one credit card at supermarkets because I get a point multiplier for that.  I called them up regarding the data breach yesterday and they said they sent me a new card on Monday.