More than 4 million credit, debit cards exposed in security breach

Hannaford Bros. supermarket chain two days ago said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency. The intrusion is only the latest to strike a large retailer and comes amid growing scrutiny of the payments industry, which faces tough proposed rules on how customer information is handled. Boston.com’s Ross Kerber writes that Concern over the issue crystallized last year following the theft of up to 100 million customer card numbers from Framingham retailer TJX Cos. Also last year, four men from Southern California received prison sentences after pleading guilty to US charges they stole payment information at checkout counters at Stop & Shop Supermarket Cos. stores in Rhode Island.

Hannaford, based in Scarborough, Maine, said compromised cards were used in transactions at all 165 stores it operates, plus transactions at 106 Sweetbay stores in Florida and 23 independently run stores that use Hannaford operating systems. Hannaford Bros. is owned by Belgium’s Delhaize Group. A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken. She said executives would not agree to be interviewed about what happened. In a statement posted to Hannaford’s website, chief executive Ronald C. Hodge wrote that the data “was illegally accessed from our computer systems during transmission of card authorization.” No names or addresses were accessed in the intrusion, Hodge wrote, adding that the stolen data was limited to credit and debit card numbers and expiration dates.

What could make the Hannaford case unusual is that since last spring its stores have met industry standards regarding how customer data is stored and maintained, Eleazer said. Many other retailers victimized by breaches, including TJX, had been faulted for lax security. It’s too soon to know whether Hannaford’s case will warrant the consideration of further security reforms, said Ted Julian, vice president of strategy at Application Security, a New York database services company. Maine is among the majority of states that have passed laws requiring companies to notify consumers when data is lost or stolen, but Eleazer said Hannaford wasn’t legally required to disclose the breach and only chose to do so yesterday once it had gathered enough information to be helpful to consumers. It is encouraging shoppers to monitor all payment card statements and to contact their card issuers or banks if questionable charges appear.

Banks have previously complained that Visa and MasterCard system rules put too many of the costs of dealing with data breaches on financial institutions. Yesterday, before Hannaford’s disclosure, the Massachusetts Bankers Association said in a statement that up to 70 banks in Massachusetts had been warned by MasterCard and Visa of a data breach at a major retailer between 7 and 10 December, but that the credit card firms had not named the retailer. Not long afterward, Hannaford came forward.