SCARBOROUGH, Maine — Hannaford Bros. has not experienced a “material or notable” decline in sales volume or credit-card use in the three weeks following the chain's disclosure that it experienced a credit-card data breach, a Hannaford executive told SN last week.
“We have fabulous customers, and they were understanding that this was an attack on our system,” Carol Eleazer, vice president of marketing at the chain, told SN. “They seem to understand that Hannaford Bros. would and did take care of their data.”
The company, owned by Brussels-based Delhaize Group, disclosed last month that 4.2 million of its customers' credit- and debit-card numbers were exposed to potential theft after a malicious piece of software had somehow been placed on the servers at nearly every store in the chain. Sister chain Sweetbay, based in Tampa, Fla., was part of the breach as well.
The software reportedly gathered the card numbers as they were being sent for approval to a transaction processor and later transmitted them out of the country. It was not immediately known how the software came to be placed on the servers. A forensic investigation is ongoing and could last “a few more weeks,” Eleazer told SN.
Once the investigation is closed, Hannaford will “work with that to gain understanding, and then make decisions about what [information] is appropriate to share and what is sensitive to network security,” she said.
In the meantime, the company has stepped up its efforts to communicate with customers by placing easel signs in stores and fliers in shopping bags explaining the situation.
Hannaford first issued an online apology from Chief Executive Officer Ron Hodge on March 17, “and we have been apologizing ever since for the concern and inconvenience we have been causing our customers,” Eleazer said.
Observers told SN it was too soon to determine whether changes would need to be made to the Payment Card Industry Data Security Standard, a series of 12 protocols established by the major credit-card companies for merchants to follow in protecting card users' data. Hannaford said a February audit found it was in compliance with the PCI standards.
A PCI Security Standards Council spokesman said the PCI guidelines undergo frequent review and modification, although he declined to comment on the specifics of the Hannaford incident.