Thieves Steal 4.2 Million Credit And Debit Card Numbers From Supermarket Servers
Hannaford Bros. CEO Ron Hodge said the data intrusion had been contained and that names and addresses were not accessed.
Thieves stole an estimated 4.2 million credit and debit card numbers from the Scarborough, Maine-based Hannaford Bros. and Sweetbay supermarket chains, Hannaford Bros. Co. said on Monday.
In a letter posted on the company Web site, Hannaford Bros. CEO Ron Hodge said that the data intrusion had been contained and that names and addresses were not accessed because the company does not store personally identifiable customer information with transaction data.
As a consequence, the company said it is unable to notify potentially affected customers. The company said it is working with credit and debit card issuers to determine the impact of the stolen data.
"We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry," said Hodge. "The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization."
The use of the word "transmission" in Hodge's statement suggests that data may have been intercepted while being transmitted through a wireless system. The Wall Street Journal, citing an unnamed source, said on Tuesday that investigators are looking at Hannaford's wireless system as a possible point of access.
As many as 1,800 cases of fraud have been linked to the data theft, according to the Associated Press.
Hannaford Bros. did not respond to a request for comment. The company is owned by the Delhaize Group, based in Belgium.
The intrusion affected Hannaford Stores in New England and New York, Sweetbay stores in Florida, and some independently-owned retail stores in the Northeast that sell Hannaford products. Hannaford Brothers said that the intrusion was detected on February 27.
The Massachusetts Bankers Association, which represents about 200 financial institutions in New England, said on Monday that Visa and MasterCard had contacted between 60 and 70 banks in Massachusetts about a large data breach that had occurred at "a major retailer." Visa and MasterCard did not name Hannaford Bros. as a matter of policy.
The Hannaford incident is the largest publicly known data breach in the U.S. since September 2007, when hackers accesses 6.3 million Ameritrade customer name and address records. In January 2007, TJX Companies disclosed that data thieves had accessed its servers during the previous year. An estimated 94 million credit and debit card records were stolen.
In December 2007, the Massachusetts Bankers Association said that it had settled its lawsuit against TJX Companies under undisclosed terms.
Hannaford is advising customers to carefully review their credit and debit card statements over the past three months and to contact the issuing institution immediately in the event of any irregularity.
Hannaford has set up a customer assistance line at 866-591-4580.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.