Grocery Chain Breach Affects 4.2 Million Credit, Debit Cards
While details of the breach have yet to be revealed, Hannaford President and CEO Ronald Hodge said in a written statement that the data was "illegally accessed from our computer systems during transmission of card authorization."
So far, at least 1,800 cases of fraud have already been reported as a result of the Hannaford breach. However, Hannaford officials maintained that the stolen data was limited to credit and debit card numbers and expiration dates, and that no personal information, such as names and addresses were accessed.
"While we deeply regret that this occurred, we do know that the scope is limited to account numbers and not to name or addresses or information that would allow identity theft," said Michael Norton, internal communications manager for Hannaford supermarkets. "That doesn't change the fact that we take it very seriously. It's just an important point so people have a sense of what the challenge is."
Hannaford, based in Scarborough, Maine, said that the data breach affected customer cards that were used at more than 270 stores, including the 165 stores it runs and operates, 106 Sweetbay stores in Florida and 23 independently run stores that use Hannaford operating systems.
The company said it first became aware of suspicious credit card activity as the result of the breach on Feb. 27. Hannaford advised any customers who have made a credit or debit card purchase at one of its stores within the last three months to notify their credit card companies immediately and to keep a close eye on their account statements.
Maine is among the majority of states that have passed laws requiring public disclosure to all affected individuals following a data breach. However, the grocery retailer said that it wasn't legally required to disclose the breach but chose to do so once it had gathered enough information to be helpful to customers, according to a Boston Globe report.
The grocery chain said that it had alerted law enforcement authorities and was "working closely with them to help identify those responsible." Hannaford execs also maintained that the company was cooperating with credit and debit card issuers to further ensure protection of its affected customers.
In addition, Hannaford said that the company has continually "devoted significant resources to ensure Hannaford has comprehensive data security systems in place," asserting that its compliance standards "go above and beyond" industry requirements.
"We're basically taking these steps to look at vulnerabilities, harden our systems, and increase monitoring," said Norton. "We think that over time, that's what's going to be most reassuring to our customers. But we're committed to looking ahead."
However, experts say that this latest incident underscores the need for businesses to classify their sensitive data and ensure that their systems are compliant with Payment Card Industry and other regulatory standards.
"(PCI compliance) is a significant effort for many businesses, which really means that they haven't finished. There are quite a few businesses out there that have not joined this bandwagon," said Avishai Wool, CTO and founder of AlgoSec. Wool said that often businesses fall short in security due to the fact that they rely systems or parts of systems that predate the Internet era. "Security may have been added as an afterthought. It wasn't engineered from the beginning and added at a later stage," he said.
Many breaches will continue to affect second-tier businesses, such as retailers, which might not have the appropriate technologies in place to counter sophisticated attacks, experts say. Security experts also assert that more and more businesses will likely feel compelled to upgrade security and meet regulatory compliance standards in order to keep their names out of the papers
"To ensure that the data is held securely, data should be held in encrypted form, something that the hackers can't get past, and protected with passwords and other security devices," said Graham Cluley, senior tech consultant at Sophos, adding that companies also will be required to closely examine and limit the number of people who have access to sensitive data. "Most of your workers will never need that information but have access to it," he said.
"Certainly compared to financial institutions, (retailers are) not as up to speed," Cluley added.
Meanwhile, the Massachusetts Bankers Association issued a statement on Monday that both Visa and Mastercard have already contacted between 60 and 70 banks in Massachusetts regarding the data breach.
MBA execs said that individual customers would be protected. "If cards are to be replaced, consumers will be notified by their bank," said Daniel Forte, president and CEO of the MBA in a written statement. "In the event that fraud does occur due to a data breach, even though our banks did not cause this breach, the banks will hold each customer harmless, refunding any lost money."
The MBA said that each bank that received an alert from the card companies will make its own decision whether or not to issue new cards or to simply monitor the potentially affected accounts as details about the breach unfold.
The MBA encouraged customers to monitor their accounts by going online or examining their bank statements that arrive in the mail. The MBA recommends that customers report any irregularities to their respective financial institutions.