Digital Transactions Authoritative, insightful and timely information for payments professionals
News of the first big data breach of 2008 broke Monday afternoon when Scarborough, Maine-based grocery chain Hannaford Bros. Co. acknowledged a data intrusion into its computer network that resulted in the theft of a reported 4.2 million customer credit and debit card numbers. The disclosure came only after the Massachusetts Bankers Association earlier in the day issued a press release urging consumers to monitor their card accounts because Visa Inc. and MasterCard Worldwide had contacted 60 to 70 Massachusetts banks warning of a breach at “a major retailer” that the state group said the networks refused to identify. According to Associated Press and Boston Globe reports, the breach has resulted in 1,800 confirmed cases of fraud. The breach reportedly involved all 165 Hannaford Bros. stores in the Northeast, 106 stores in Florida of corporate affiliate Sweetbay, and a smaller number of independent grocery stores in the Northeast that carry Hannaford products. Hannaford reportedly became aware of the breach Feb. 27, though investigation showed it began Dec. 7, and it wasn't “contained” until March 10, according to the AP. Exactly how the breach happened is unclear, but a statement from Hannaford president and chief executive Ronald C. Hodge indicated it happened during the transaction process. “The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization,” he said. In that same news release, the company said, “Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions.” A Hannaford spokesperson reached by Digital Transactions News late Monday did not have more information about the breach. Also not immediately known was the identity of Hannaford's merchant acquirer. While apparently not as severe as the huge data breach at off-price retailer TJX Cos. that potentially compromised by one estimate more than 90 million cards (Digital Transactions News, October 25, 2007), the Hannaford breach raises further questions about card-data security and the effectiveness of the card networks' Payment Card Industry data-security standard, or PCI. While Hannaford's PCI compliance status is unknown, Visa has reported that most of the largest merchants?the so-called Level 1 and Level 2 card acceptors by Visa transaction volume?now comply with PCI or are on their way to full compliance (Digital Transactions News, Jan. 22). Hannaford is surely a Level 2 and very possibly a Level 1 merchant, the latter of which submit more than 6 million Visa transactions a year. TJX was not PCI compliant when it was hacked. But the continuing data thefts cause some observers to be skeptical that Visa's numbers are capturing the true state of compliance. “The fact that it's 2008 and it [card data] is still in there means we really can't believe the PCI compliance statistics,” says Avivah Litan, a technology analyst at Stamford, Conn.-based research firm Gartner Inc. who closely follows electronic-payment security issues. Litan says she is working on a study that has found the majority of 50 retailers she surveyed have not revealed data breaches involving their companies. She expects the report to be out in about a month. The Massachusetts Bankers Association, meanwhile, says it has been in discussions with the card networks, as well as pursuing “legislative remedies,” to change network rules to require that merchants that are the sources of data breaches be identified and made liable for the resulting costs.
