On February 27, 2008 Hannaford Bros. became aware of unusual credit card transaction activity and began an internal investigation. Hannaford Bros. upon confirming there was in fact a cybersecurity breach contacted the proper law enforcement officials, including the U.S. Secret Service and affected credit and debit card banking authorities to work in unison to investigate the breach. The Secret Service’s spokesman Malcolm Wiley confirmed that Hannaford Bros. did contact them, and that the Secret Service was investigating, but would make no further comment on the case.
As the investigation progressed it was learned that the actual data breach originated on December 7, 2007 and that it wasn’t until March 10, 2008 that they were able to contain it. There has been much criticism that Hannaford Bros. did not make a public statement to it’s customers until March 17, 2008 and that when the company did there was very little information or assistance to the victims of the theft.
The 4.2 million credit and debit card numbers that were stolen occurred in 165 Hannaford Bros. supermarket stores across the Northeast of the United States and 106 Sweetbay stores in Florida, putting more than four million individuals at risk for credit card fraud. Since the breach occurred there have been approximately 1800 incidents of fraud already reported.
Many victimized customers filed suit against Hannaford Bros and one such class action suit filed in the U.S. District Court of Maine alleges Hannaford Bros. was negligent for failure to maintain adequate data security of customer credit and debit card data. Furthermore, the suit maintains that Hannaford’s customers have suffered damages due to Hannaford Bros. lack of adequate cyber data security to protect their sensitive information.
In the statement made by Hannaford Bros. CEO, Ronald C. Hodge said,
For more than 125 years, Hannaford has been dedicated to earning the trust of our customers, and we sincerely regret any concern or inconvenience this has caused. We have taken aggressive steps to augment our network security capabilities.
Credit and debit card numbers were stolen during the card authorization transmission process but no personal information like names, addresses or telephone numbers was divulged. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.
As part of their statement Hannaford warned its customers to beware of any emails or phone calls from anyone claiming to be a Hannaford Bros. representative inquiring about any type of personal information. And the company asked that their customers be vigilant in monitoring their credit card and banking statements for any unauthorized charges or activities. They advised all affected individuals to promptly report any unauthorized charges or abnormalities to their credit card company or banking institution.
Because Hannaford does not retain names or addresses in its systems for customers that utilize a credit or debit card in their stores it is not possible for them to contact the credit and debit card holders to notify them of the breach individually. On the Hannaford Bros. website the company is instructing customers to call the support line at 1-866-591-4580 if they need assistance or have questions. Essentially Hannaford is leaving the notification process of its customers to law enforcement or the banks associated with the credit and debit cards.
Approximately seventy banking institutions in Massachusetts have been alerted by MasterCard and Visa of the Hannaford Bros. data breach, according to the Massachusetts Bankers Association (MBA). In its warning to the seventy Massachusetts banks, MasterCard called the Hannaford intrusion a “potential security breach” and stated that the incident is under investigation by the appropriate law enforcement officials. In their statement, the Massachusetts Bankers Association included this warning directed towards consumers: “The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and is urging consumers to monitor their accounts.”
Hannaford has said they are cooperating with credit and debit card issuers and law enforcement to ensure that their customers are protected and that they are actively working with both entities to identify the cyber criminals responsible for the theft.
Additional Resources About This Breach: