Security Breach at Hannaford

Customers of two East Coast supermarket chains have been told to closely monitor their credit and debit card statements after more than 4 million cards were exposed in a data breach.

The Hannaford Bros. supermarket chain experienced a security breach that led to thefts of customer credit and debit card numbers used at 165 stores in New England and New York and 106 Sweetbay stores in Florida, as well as a smaller number of independent grocers selling Hannaford products.

So far, there have been about 1,800 cases of reported fraud stemming from the data breach, said Carol Eleazer, vice president of marketing at Hannaford's headquarters in Scarborough.

Hannaford became aware of unusual credit card activity on Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn't contained until March 10, Eleazer said.

Hannaford warned customers to watch their credit and debit card statements and alert authorities in the event of unusual transactions. It also told customers to beware of hoax e-mails and calls from people claiming to represent Hannaford and seeking to collect personal information.

"For more than 125 years, Hannaford has been dedicated to earning the trust of our customers, and we sincerely regret any concern or inconvenience this has caused,'' Ronald C. Hodge, Hannaford president and CEO, said Monday in a statement. "We have taken aggressive steps to augment our network security capabilities.''

Credit and debit card numbers were stolen during the card authorization transmission process but no personal information like names, addresses or telephone numbers was divulged, the company said. Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions, it said.

Hannaford and Sweetwater, along with Food Lion, are owned by Belgian supermarket chain Delhaize America. Food Lion was not affected by the data breach.

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it's investigating a data breach but declined to comment on the scope of the crime. "The company did contact us, and we are investigating,'' said agency spokesman Malcolm Wiley.

Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, said holders of debit cards involved in the Hannaford case are most at risk of fraud. While banks generally cover costs up front from fraudulent charges that appear on customers' credit card statements, exposure of a debit card in a breach could potentially lead a criminal to drain a victim's bank account. That would leave a consumer having to convince a bank that they deserve to be reimbursed.

"Any time a debit card number is exposed, the affected individuals need to be contacted immediately, and their accounts should be closed down,'' Givens said.

The 4.2 million card numbers that Hannaford said were potentially exposed and 1,800 cases of related fraud rank the case among the largest breaches on record involving retailers.

But the case is still far smaller than the biggest hack measured by the number of customer records involved _ last year's disclosure of a breach at TJX Cos., the Framingham, Mass.-based operator of more than 2,500 discount retail stores including T.J. Maxx and Marshalls.

TJX reported last March that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in 2005. However, banks' recent court filings in a lawsuit against TJX put the number of cards affected at more than 100 million.

Hannaford's announcement came several hours after the Massachusetts Bankers Association warned that about one-third of its 200 member banks had been contacted by Visa and MasterCard, alerting them that some of the credit and debit cards the banks issued could be at risk.

Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said.

"I had expected there would be more than we've heard of,'' Walker said. "But it's still too early for us to tell.''

Eleazer defended Hannaford's response to the breach.

"We moved with all deliberate speed to get out to customers with information that we could have confidence in,'' she said. "This is a complex undertaking.''