Retail data breach may have affected hundreds of thousands

US grocery chain acknowledges intrusions into its systems, says payment card data stolen

Hannaford Bros. Co., a supermarket chain based in the US state of Maine, Monday disclosed that it had been hit by an intrusion into its computer network - a data breach that may force banks in the Northeast and Florida to block and reissue hundreds of thousands, or even millions, of credit and debit cards.

In one of the first official confirmations of something that has been rumored for the past few days, the Massachusetts Bankers Association (MBA) today issued a statement warning consumers about a large retail data security breach.

The MBA said that between 60 and 70 of its member banks have been contacted about the breach by MasterCard and Visa. The group added that although the credit card companies didn't disclose the name of the involved merchant, they described it as a "major retailer."

Hannaford later posted an advisory on its Web site saying that it had contained the intrusions after being "made aware of suspicious credit card activity" on Feb. 27. The grocer said that credit and debit card numbers and expiration dates were stolen from its systems during the transmission of data for transaction authorization purposes.

But Hannaford added that no names, addresses or other identifying information was taken. The company also said that it "doesn't collect, know or keep any personally identifiable customer information from transactions."

In its statement (download PDF), the MBA estimated "that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected." The banks were told that the data breach occurred between Dec. 7 and March 10, the MBA said. The group urged consumers in New England to monitor their payment card accounts and said it "wants customers to know that this was not a problem caused by banks."

The 26,000-member First New York Federal Credit Union, which has offices in Albany, Saratoga Springs and five other communities in upstate New York, also issued an alert saying that it had been notified of the breach by Visa last Friday. First New York said that as part of the notification, it was sent "a large list" of Visa credit card and check card accounts that had been compromised during the breach.

"This means that the criminals responsible for the breach of the retailer's network have obtained the card numbers of many of our members," the credit union noted. It added that cards belonging to the affected customers would be deactivated and that new cards would be issued within the next few days.

MasterCard and Visa officials didn't immediately respond to a request for comment. However, MasterCard did issue a statement in which it characterized the incident as a "potential security breach" and said that the matter is being investigated by law enforcement officials. Because of the ongoing investigation, the company declined to disclose additional details.

Avivah Litan, an analyst at Gartner Inc., said that the incident appears to have be an extensive breach involving the theft of magnetic stripe data. Such data "can be used to make counterfeit cards," Litan noted. "Otherwise, Visa and MasterCard wouldn't have bothered notifying all these banks."

Under the Payment Card Industry Data Security Standard mandated by the major credit card companies, retailers are prohibited from taking information from the magnetic stripes on the back of credit and debit cards and storing it in their systems. But as evidenced by the latest breach, many merchants still appear to be storing the data, Litan said. She added that based on what she has heard, this could rank among "the largest card data breaches we have seen publicized" thus far.

The largest retail breach in the U.S. to date occurred at The TJX Companies Inc., which disclosed early last year that intruders had accessed its systems starting in mid-2005. Framingham, Mass.-based TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. But even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the intrusions.

The MBA said in its statement about the new breach that it has been lobbying the credit card companies to change their rules on not identifying retailers that are hit by breaches, while also pursuing legislation that would force the card companies to do so.

"Releasing the name of the retailer [involved in a breach] would make all of our lives easier and safer," Daniel Forte, the MBA's president and CEO, said as part of the statement. "Customers who didn't shop there would be put at ease, and banks could do more efficient investigations to better protect customers. It's an important issue and one that we are vigorously pursuing."

Robert McMillan of the IDG News Service contributed to this story.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?