Vincent Feli Boy’s Blog

I understand that breaches happen and will continue to happen until retailers take security seriously. I’m less angry about the actual breach than I am about how Hannaford handled it, and ultimately, its absolute lack of disclosure to customers. * It took nearly 3 months for Hannaford to figure out there was a breach. Are you kidding me, 3 months? * What really gets me: Hannaford knew something was wrong on Feb. 27 but didn’t contain the breach until March 10.

So for nearly 2 weeks, Hannaford allowed customers to continue to use their plastic on a network that was not secure. Why not shut down all credit/debit transactions? Why not have cashiers advise customers to use cash or a check? * Another week passed before the breach was contained (March 10) and Hannaford announced (March 17). Hannaford was no doubt working with its lawyers (message: who cares about the customers, let’s let them wait another week and subject them to additional fraud risk before we tell them). The way Hannaford handled this amounts to an egregious and unforgivable “breach” of customer trust.

(more…)

Hannaford, which has some two dozen Massachusetts stores, said the breach began Dec. 7 and continued until March 10. Anyone who used a credit or debit card during that period at the chain’s 165 New England and New York stores or 106 Sweetbay outlets in Florida faces potential problems.

So do customers who shopped at an undisclosed number of small grocers that stock Hannaford products. “We sincerely regret this intrusion into our systems, which we believe are among the strongest in the industry,” CEO Ron Hodge said in an open letter posted on the Maine-based chain’s Web site. However, Hannaford admitted that it first learned of the security breach nearly three weeks ago. Paul Stephens of the Privacy Rights Clearinghouse said such a delay in disclosing the problem “puts consumers in a difficult position, because they have no way of knowing whether their accounts may have been impacted or not.” But Hannaford Vice President Carol Eleazer defended her firm’s actions, saying the chain “moved with all deliberate speed to get out to customers with information that we could have confidence in.

(more…)

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it’s investigating but declined to comment on the scope of the crime. “The company did contact us, and we are investigating,” said agency spokesman Malcolm Wiley. MasterCard, the second-biggest U.S. credit card association after Visa, issued a statement before Hannaford’s disclosure: “Because this incident is the subject of an ongoing law enforcement investigation, we cannot disclose additional details regarding the incident or otherwise comment at this time.

” Calls to Visa on Monday were not returned. Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, said holders of debit cards involved in the Hannaford case are most at risk of fraud. Banks generally cover costs from fraudulent charges on credit cards, but a criminal could potentially drain a victim’s bank account and leave them with the task of convincing a bank they deserve to be reimbursed. “Any time a debit card number is exposed, the affected individuals need to be contacted immediately, and their accounts should be closed down,” Givens said. Mark Walker, an attorney for the Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach.

(more…)