Vincent Feli Boy’s Blog

I understand that breaches happen and will continue to happen until retailers take security seriously. I’m less angry about the actual breach than I am about how Hannaford handled it, and ultimately, its absolute lack of disclosure to customers. * It took nearly 3 months for Hannaford to figure out there was a breach. Are you kidding me, 3 months? * What really gets me: Hannaford knew something was wrong on Feb. 27 but didn’t contain the breach until March 10.

So for nearly 2 weeks, Hannaford allowed customers to continue to use their plastic on a network that was not secure. Why not shut down all credit/debit transactions? Why not have cashiers advise customers to use cash or a check? * Another week passed before the breach was contained (March 10) and Hannaford announced (March 17). Hannaford was no doubt working with its lawyers (message: who cares about the customers, let’s let them wait another week and subject them to additional fraud risk before we tell them). The way Hannaford handled this amounts to an egregious and unforgivable “breach” of customer trust.

(more…)

Hannaford, which has some two dozen Massachusetts stores, said the breach began Dec. 7 and continued until March 10. Anyone who used a credit or debit card during that period at the chain’s 165 New England and New York stores or 106 Sweetbay outlets in Florida faces potential problems.

So do customers who shopped at an undisclosed number of small grocers that stock Hannaford products. “We sincerely regret this intrusion into our systems, which we believe are among the strongest in the industry,” CEO Ron Hodge said in an open letter posted on the Maine-based chain’s Web site. However, Hannaford admitted that it first learned of the security breach nearly three weeks ago. Paul Stephens of the Privacy Rights Clearinghouse said such a delay in disclosing the problem “puts consumers in a difficult position, because they have no way of knowing whether their accounts may have been impacted or not.” But Hannaford Vice President Carol Eleazer defended her firm’s actions, saying the chain “moved with all deliberate speed to get out to customers with information that we could have confidence in.

(more…)

BOSTON — Hannaford Bros. supermarket chain announced Monday a security breach that led to thefts of customer credit and debit card numbers. Hannaford said the security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company put the number of unique credit and debit card numbers that were potentially exposed to fraud at 4.2 million.

The company said it currently is aware of about 1,800 cases of reported fraud related to the security breach. Ronald Hodge, Hannaford president and CEO, said the company has “taken aggressive steps to augment our network security capabilities” since unusual credit card activity came to light on Feb. 27. Read: Investigators later discovered that the data breach began on Dec. 7. The breach wasn’t contained until March 10.

(more…)

Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March.

The Secret Service is investigating, said spokesmen for Hannaford and the federal agency. The intrusion is only the latest to strike a large retailer and comes amid growing scrutiny of the payments industry, which faces tough proposed rules on how customer information is handled. Concern over the issue crystallized last year following the theft of up to 100 million customer card numbers from Framingham retailer Also last year, four men from Southern California received prison sentences after pleading guilty to US charges they stole payment information at checkout counters at Stop & Shop Supermarket Cos. stores in Rhode Island. Hannaford, based in Scarborough, Maine, said compromised cards were used in transactions at all 165 stores it operates, plus transactions at 106 Sweetbay stores in Florida and 23 independently run stores that use Hannaford operating systems. Hannaford Bros. is owned by Belgium’s.

(more…)

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it’s investigating but declined to comment on the scope of the crime. “The company did contact us, and we are investigating,” said agency spokesman Malcolm Wiley. MasterCard, the second-biggest U.S. credit card association after Visa, issued a statement before Hannaford’s disclosure: “Because this incident is the subject of an ongoing law enforcement investigation, we cannot disclose additional details regarding the incident or otherwise comment at this time.

” Calls to Visa on Monday were not returned. Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, said holders of debit cards involved in the Hannaford case are most at risk of fraud. Banks generally cover costs from fraudulent charges on credit cards, but a criminal could potentially drain a victim’s bank account and leave them with the task of convincing a bank they deserve to be reimbursed. “Any time a debit card number is exposed, the affected individuals need to be contacted immediately, and their accounts should be closed down,” Givens said. Mark Walker, an attorney for the Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach.

(more…)