Hannaford Bros. Co., a Maine-based supermarket chain, today disclosed that it had been hit by intrusions into its computer network — a data breach that may force banks in the Northeast and Florida to block and reissue hundreds of thousands, or even millions, of credit and debit cards.
In one of the first official confirmations of something that has been rumored for the past few days, the Massachusetts Bankers Association (MBA) today issued a statement warning consumers about a large retail data security breach that occurred between Dec. 7 and March 10.
The MBA said that nearly 70 of its member banks have been contacted about the breach by MasterCard and Visa. The group added that although the credit card companies didn't disclose the name of the involved merchant, they described it as a "major retailer."
Hannaford later posted an advisory signed by President and CEO Ronald Hodge on its Web site, saying that the grocer had contained the intrusions after being "made aware of suspicious credit card activity" on Feb. 27. Hodge said in the advisory that credit and debit card numbers and expiration dates were stolen from Hannaford's systems during the transmission of data for transaction authorization purposes.
But he added that no names, addresses or other identifying information was taken. He also wrote that the company "doesn't collect, know or keep any personally identifiable customer information from transactions."
According to Hannaford, the breach affected customers at the company's supermarkets in New England and New York, as well as at its Sweetbay stores in Florida. Transactions conducted at some independently owned retail stores in the Northeast that carry Hannaford products were also affected, the company said.
In the message from Hodge, Hannaford didn't mention the number of payment cards that were compromised. But citing company officials, the Associated Press reported that as many as 4.2 million credit and debit card numbers may have been taken, and that about 1,800 cases of fraud have been reported as a result of the breach thus far.
Hannaford said customers who have used their credit or debit cards to make purchases at its stores over the past three months should notify their card issuer or bank, and check their card statements for any potentially fraudulent transactions. "We sincerely regret this intrusion into our systems, which we believe are among the strongest in the industry," Hodge wrote in the advisory.
The company defended its security measures, saying in a "customer Q&A" document that they meet and in many cases "go above and beyond" industry standards. But Hannaford added that it is "committed to taking whatever steps may be necessary" to beef up its IT defenses to prevent similar incidents in the future.
Meanwhile, most of the links on Hannaford's Web site have been disabled today. Only the home page and the links to the information about the breach appear to be working; other pages feature a message saying that "Hannaford.com is currently undergoing site maintenance."
In its statement (download PDF), the MBA estimated "that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected." The group urged consumers in New England to monitor their payment card accounts and said it "wants customers to know that this was not a problem caused by banks."
The 26,000-member First New York Federal Credit Union, which has offices in Albany, Saratoga Springs and five other communities in upstate New York, also issued an alert saying that it had been notified of the breach by Visa last Friday. First New York said that as part of the notification, it was sent "a large list" of Visa credit card and check card accounts that had been compromised during the breach.
"This means that the criminals responsible for the breach of the retailer's network have obtained the card numbers of many of our members," the credit union noted. It added that cards belonging to the affected customers would be deactivated and that new cards would be issued within the next few days.
MasterCard and Visa officials didn't immediately respond to a request for comment. However, MasterCard did issue a statement in which it characterized the incident as a "potential security breach" and said that the matter is being investigated by law enforcement officials. Because of the ongoing investigation, the company declined to disclose additional details.
Avivah Litan, an analyst at Gartner Inc., said that based on the alerts sent to banks by Visa and MasterCard, the intrusion at Hannaford appears to have involved the theft of magnetic stripe data from the back of credit and debit cards. Such data "can be used to make counterfeit cards," Litan noted. "Otherwise, Visa and MasterCard wouldn't have bothered notifying all these banks."
Under the Payment Card Industry Data Security Standard mandated by the major credit card companies, retailers are prohibited from storing magnetic stripe data in their systems. In this case, Litan said, the card information appears to have been stolen while it was in transit from Hannaford's systems to those of the financial institution that processes transactions for the chain.
"Thieves are going after data in transit," she said, noting that as companies get better at protecting stored data, more attackers are targeting information while it's being transmitted. According to Litan, many merchants still don't encrypt such data, even though doing so is a requirement under the industry security standard, which is known by the acronym PCI.
The largest retail breach in the U.S. to date occurred at The TJX Companies Inc., which disclosed early last year that intruders had accessed its systems starting in mid-2005. Framingham, Mass.-based TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. But even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the intrusions.
In Massachusetts, the MBA said in its statement about the new breach that it has been lobbying the credit card companies to change their rules on not identifying retailers hit by breaches. The group also is pursuing legislation that would force the card companies to name names.
"Releasing the name of the retailer [involved in a breach] would make all of our lives easier and safer," Daniel Forte, the MBA's president and CEO, said as part of the statement. "Customers who didn't shop there would be put at ease, and banks could do more efficient investigations to better protect customers. It's an important issue and one that we are vigorously pursuing."
Robert McMillan of the IDG News Service contributed to this story.