Hannaford Defends Timing of Data Breach Disclosure

MICHAEL GARRY

SCARBOROUGH, Maine — Some observers believe Hannaford Bros. here waited too long to inform consumers of the security breach that exposed 4.2 million credit and debit cards to fraudulent misuse and led to about 1,800 cases of fraud so far. “There should be immediate disclosure — otherwise it puts consumers at risk,” said Paul Stephens, director of policy and advocacy, Privacy Rights Clearinghouse, San Diego. In addition, the Boston Globe reported this week that Massachusetts officials felt the chain had not informed them of the breach fast enough. Hannaford Bros., a division of Belgium-based Delhaize Group, acknowledged the breach on its website Monday. “We moved with all deliberate speed with the information that we could have confidence in,” said Carol Eleazer, vice president of marketing at Hannaford. She declined to say whether Hannaford was advised by law enforcement to hold back on going public with the news. Hannaford was initially informed of “unusual credit card activity” associated with its consumers on Feb. 27, said Eleazer. The breach is believed to have been initiated on Dec. 7, according to reports. Hannaford believed “with a high degree of confidence” that its system was cleansed as of March 10. However, it took another week of testing and auditing to ensure that “our measures were effective in preventing the criminal activity from continuing,” she said.

Read More of Today's Headlines