PORTLAND, Maine — At least six class-action lawsuits have been filed in Federal District Court here against Hannaford Bros. and its parent company, Delhaize Group, following the chain's disclosure that up to 4.2 million credit and debit card numbers might have been put at risk by a security breach.
The chain said 1,800 cases of fraud were reported in connection with the incident, which also impacted customers of Hannaford's sister chain in Florida, Sweetbay, and some independent stores that Hannaford supplies.
Although Hannaford has claimed it was in compliance with the Payment Card Industry Data Security Standard, the lawsuits that have been filed against it allege that the measures the company took were inadequate and that the company waited too long to disclose the breach.
Hannaford said it was first informed of “unusual credit card activity” associated with its consumers on Feb. 27, although the breach was believed to have been initiated on Dec. 7, according to reports. On March 17, the chain publicly disclosed that the breach had occurred, following testing to ensure that the theft was not continuing, a spokeswoman for Hannaford told SN.
At least one of the suits, filed by the Bangor, Maine-based law firm of Lanham Blackwell, alleges that Hannaford also violated the Maine Unfair Trade Practices Act, which prohibits deceptive business practices. In essence, it alleges that Hannaford had promised to keep its customers' data safe and then failed to do so.
The suits seek unspecified damages.
A spokesman for Hannaford Bros. said the chain does not comment on pending litigation.
According to David Navetta, an attorney specializing in data theft and president of Denver-based InfoSecCompliance, Hannaford's liability could be minimized if inspections subsequent to the breach verify that the chain actually was PCI-compliant. However, he pointed out, compliance does not completely insulate the chain from liability.
“Even if you comply with the industry standard, they can still say you should have been doing more,” he said. “The entire industry could have been doing something as a whole unreasonably.”
He pointed out that it was too early in the process to determine Hannaford's potential level of liability, but the company does appear to be better positioned than TJX Cos., which suffered a much larger data breach about a year ago and quickly determined that its data security did not meet industry standards.
That company, parent of retail chains T.J. Maxx, Marshall's and others, said in a recent filing with the Securities and Exchange Commission that it took a reserve of $178.1 million as an estimated cost for all matters related to that incident, which reportedly exposed about 45.7 million card numbers to theft. TJX said it has settled many of the lawsuits filed against it, which included class actions filed by consumers, banks and credit card companies.
As of late last week, the banks that were impacted by the Hannaford data breach had not yet filed suit against the chain, but reports said some local banks had incurred costs of hundreds of thousands of dollars just to issue new credit cards.
“It remains to be seen if Hannaford is even liable in this,” one local bank president was quoted as saying.
Calls to bank associations in Massachusetts and Maine were not returned last week.
Navetta said most suits in data-theft cases are settled out of court.
“In the Hannaford Bros. case, I think the question will be, were they in fact in compliance with PCI?” Navetta said. “The plaintiff's attorneys will look at how they went about that process of becoming compliant, and if there are areas where they were not compliant, the plaintiffs' attorneys will try to show that if they had been compliant, they would have potentially avoided the security breach.”
He also suggested that if Hannaford were found to be in compliance with PCI by an outside auditor, but subsequent analysis shows that it was not in fact complaint, then those auditors could be held liable.
Tom Kellerman, vice president of security awareness for Core Security Technologies, a Boston-based supplier of software that tests security systems, said he believes the PCI standard needs to be updated.
“It's definitely a good step forward, but it has some serious gaps in its ability to thwart the sophisticated hacker of 2008,” he said.
He cited PCI's reliance on password protection as an example, noting that “passwords have become obsolete” when it comes to financial data security. He also advocated more frequent testing of security systems and said retailers have become overly reliant on encryption.
Hannaford has not disclosed exactly how its data was stolen, although Kellerman suggested it could have happened during a wireless transmission or via a “compromised device” in the chain's system.
“The retail stores are going to continue to be targeted, because they are an easy link in the food chain that is financial data,” he said.