SCARBOROUGH, Maine — One of the largest retail security breaches in recent years has left Hannaford Bros. here and industry experts wondering how retailers will be able to ensure that consumers can safely use credit and debit cards to pay for purchases.
Hannaford Bros., a division of Belgium-based Delhaize Group, acknowledged last week that, despite certified security controls, a data breach had exposed 4.2 million credit and debit cards to fraudulent misuse and that about 1,800 cases of fraud linked to the breach had taken place to date. Only data was compromised — not names or addresses. At least two lawsuits were filed (see Page 6).
The breach affected cards used at Hannaford's 165 stores in New England as well as at 106 Florida stores operated by Tampa-based Sweetbay, another Delhaize division whose IT operations are overseen by Hannaford, and at some independently owned Northeast stores that carry Hannaford products.
“This was a crime; we were attacked by people we don't know,” said Carol Eleazer, vice president of marketing at Hannaford. “We deeply regret the position we are in.”
An investigation led by the U.S. Secret Service is ongoing.
The security lapse took place in spite of industry-standard measures taken by Hannaford to protect consumer data. For example, the chain was certified in February and last spring as being in compliance with the Payment Card Industry Data Security Standard, said Eleazer. The chain had also installed encryption technology to further secure its consumer transactions. This may be the first publicly known breach of a PCI-compliant merchant, according to the website of Digital Transactions magazine.
“We have state-of-the-art technology; we constantly review and employ best practices and stay current with all security measures to safeguard consumer transactions,” said Eleazer. “But regrettably, in the wired world in which we live, vulnerabilities inevitably exist. That's the challenge for retailers and the opportunity for crooks.”
Asked what can be done to reassure consumers, Eleazer replied, “That's the big question,” adding, with laughter, “Can you help me out there?”
She said it was too soon to assess the effect on sales.
The Hannaford incident raises questions about the “robustness of the PCI standard,” said Dave Hogan, senior vice president and chief information officer for the National Retail Federation, Washington.
“We've been saying for a long time that we've got to come up with a different model for securing customer data,” Hogan told SN last week. “PCI tries to build a concrete wall around data, and every year the hackers just get more savvy and build a taller ladder.”
The PCI standard was established in 2005 by the major card associations, including Visa, MasterCard and American Express, as a uniform approach that combined the security measures developed by each association individually. The standard is now managed by the PCI Security Standards Council, Wakefield, Mass., which the associations created in 2006.
Last year, retailers such as TJX and Stop & Shop were involved in credit security breaches, the former involving back-end systems, the latter involving tampering with PIN pads at the POS. The Hannaford breach is considered one of the largest in recent years outside of TJX's, which exposed some 45.7 million cards, said Paul Stephens, director of policy and advocacy, Privacy Rights Clearinghouse, San Diego.
Hannaford's security breach was caused by “malware” that infiltrated the chain's transaction processing network, said Eleazer. Credit and debit card data was accessed “during the transaction process” as data was being transmitted to third-party processors for authorization and settlement. The data included card numbers, expiration dates and security codes that reside on a card's magnetic stripe.
“We don't keep or store personal or financial consumer information,” said Eleazer. “The only time it's in our system is during the transaction process” at the checkout.
No debit cards processed with a PIN (personal identification number) were affected by the breach. However, debit cards for which consumers used a signature rather than a PIN were impacted.
“We recommend that consumers don't use debit cards, because they are too dangerous,” said Stephens of the Privacy Rights Clearinghouse. “They can have their bank accounts drained.”
Banks are required to reimburse consumers for debit card losses if they are reported in a timely fashion, he noted, but the process can take a few weeks. Most credit card companies do not hold consumers liable for credit fraud.
Hannaford was initially informed of “unusual credit card activity” associated with its consumers on Feb. 27, said Eleazer. The breach was believed to have been initiated on Dec. 7, according to reports.
The chain immediately began investigating its systems in concert with outside data security experts. The malware was eventually identified and neutralized via “reverse engineering,” she noted, adding that Hannaford believed “with a high degree of confidence” that its system was cleansed of malware as of March 10.
However, it took another week of testing and auditing to ensure that “our measures were effective in preventing the criminal activity from continuing,” she said. Then, on March 17, the chain disclosed what happened on its website.
Some observers believe Hannaford waited too long to inform consumers of the breach. “There should be immediate disclosure — otherwise it puts consumers at risk,” said Stephens. The Boston Globe reported last week that Massachusetts officials felt the chain had not informed them of the breach fast enough.
“We moved with all deliberate speed with the information that we could have confidence in,” said Eleazer. She declined to say whether Hannaford was advised by law enforcement to hold back on going public.
On its website, Hannaford advised consumers to “carefully review your financial institution and credit card statements, and immediately contact your credit card company or issuing bank with any questions or concerns about individual charges.”
The site also advised consumers to focus on transactions made during the past three months and to be wary of “hoax emails and calls” related to the breach.