washingtonpost.com
Grocer Says Data Were Compromised

By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, March 19, 2008

The Hannaford Bros. supermarket chain said this week that a breach of its computer systems may have given criminals access to more than 4 million customer credit and debit card numbers.

The breach, which began in December and lasted until early this month, affected cards used at 270 Hannaford grocery stores in Maine, Massachusetts, New Hampshire, New York and Vermont, as well as the company's Sweetbay stores in Florida.

Hannaford chief executive Ronald C. Hodge said in a statement that the stolen data included credit and debit card numbers and expiration dates and was illegally accessed from the company's computer systems while transactions were being processed and authorized.

The Massachusetts Bankers Association said Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about the breach.

Experts said these types of violations are increasingly common, even for companies that follow the credit card industry's security standards.

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be compliant and still have customer data stolen," said Bryan Sartin, vice president of investigative response for Cybertrust, a division of Verizon Business.

Sartin said the unit is responding to a number of data breaches in which hackers have targeted financial data as it is being transferred from the retailer to the credit card processor. Although payment card industry standards require retailers to encrypt information when it traverses public networks, that requirement does not necessarily apply to a company's internal, nonpublic networks, he said.

Hannaford advises customers who shopped at its stores in the past three months to review their bank statements and immediately alert their financial institutions to any unauthorized charges.

View all comments that have been posted about this article.

© 2008 The Washington Post Company