Hannaford Data Breach: The Victims Fight BackCustomers, Institutions Angry Over Compromised Card Transactions, Fraud
More than 1,800 of those credit card numbers have already been used for fraudulent transactions. Affected by the breach were all 165 Hannaford stores in New England and New York, 106 Sweetbay stores in Florida and 24 independent stores that carry Hannaford products in the Northeast. Hannaford and Sweetbay are owned by the Belgian supermarket chain Delhaize America.
Within two days of the breach announcement, two class action lawsuits on behalf of customers were filed against the retailer. The suits charge Hannaford was negligent for failing to provide adequate security for computer data.
Although the case is among the largest security breaches on record, it is much smaller than the 45 million credit cards taken earlier from TJX, a Framingham, MA., retail chain with 2,500 stores including T.J. Maxx and Marshalls store chains. (SEE RELATED STORY:)
At least 60 to 70 Massachusetts banks have received alerts from Visa and MasterCard about thousands of exposed credit and debit cards caught in a new data breach, says Daniel J. Forte, president and CEO of the Massachusetts Bankers Association (MBA).
"The affected accounts appear to be located in banks in Massachusetts and northern New England," Forte says. The MBA has been in discussions with the card companies, as well as pursuing legislative remedies that would change card company rules and require release of the name of the offending retailer, as well as place liability for the costs associated with a breach with the retailer. The association demanded that the credit card companies name the retailer, and later Hannaford stepped forward and acknowledged the breach (SEE HANNAFORD ANNOUNCEMENT).
Maine credit unions say 100,000 credit and debit cards are expected to be reissued because of the Hannaford breach.
"Because the compromise occurred at a major Maine retailer that so many Maine people use on a regular basis, the impact and cost of this compromise will be significantly higher than the TJX compromise last year," says Rebekah Higgins, Card Services Manager at Synergent, the service subsidiary of the Maine Credit Union League, which handles card services and processing for many Maine credit unions. She says a number of credit unions have already begun reissuing their entire card base.
Vermont banks and credit unions are also carefully watching their customers' cards for fraud after the Hannaford breach. Heritage Family Credit Union in Rutland, VT posted a message on its Web site, www.hfcuvt.com. The message says it will send letters to its members that have had their cards identified by Visa as part of the breach, as soon as the card numbers are released to the credit union.
A 2007 data security breach law passed in Vermont now requires prompt notification of a data security breach. The law covers non-financial companies. It requires businesses and state agencies to notify consumers in the event of a security breach that compromises the security, confidentiality or integrity of certain personal information maintained by the state agency or business.
While the United States Secret Service and other forensic investigators are still unraveling exactly where and how the card data was taken, there are some known facts: * Hannaford became aware of the breach Feb. 27. * Investigators brought in to find the cause determined the data breach began on Dec. 7. * Hannaford didn't stop it until March 10.
Hannaford says the sensitive data was exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval. Hannaford doesn't store credit card information in its databases, but uses a wired network to transfer information, according to a Hannaford spokesperson.
There are many past cases where hackers broke into databases to capture card data. The Hannaford breach may be an attack on data in transit, says Gartner analyst Avivah Litan. "The PCI (Payment Card Industry) standards may need updating to say 'data in transit' - even on private networks - must be encrypted, or the network segment processing card data needs to be sufficiently segmented from the rest of the store's networks," Litan says.
"It sounds like Hannaford did all that it could to secure data. The assessor determined it was compliant," she says. There has been too much attention paid to data at rest and not enough to data in transit, Litan adds. "The crooks are having a harder time attacking data at rest, so they have set their sights on data in motion, and here they obviously succeeded."
Bad News for Everyone
This breach is not just bad news for the retailer, its 4 million customers and the institutions forced to replace credit and debit cards. It has also sent rumbles of uncertainty through the PCI world of compliant retailers. Hannaford states on its web site that it is PCI-DSS compliant. (See Hannaford Privacy statement - information is at very bottom of page:).
The PCI Security Standards Council's general manager Bob Russo says "The Council is very concerned about any compromise of cardholder data as it undermines the integrity of electronic payments." Russo adds this incident underscores the need for all businesses to ensure that they handle "customer payment card data with the utmost vigilance."
Russo says the PCI Council has been monitoring reports that Hannaford Bros. grocery chain was in compliance with the PCI Data Security Standard at the time of its self-reported data breach. "As the Council does not track nor monitor compliance, at this time we do not have additional insight beyond these initial reports," he says. "We will continue to monitor this event and review all investigative findings."
David Taylor, president of the PCI Security Vendor Alliance, has a warning for retailers and institutions alike. "Anyone who thinks that just because they don't have CVV numbers or names of card holders that the credit card numbers they have aren't of any value -- they are," he says. "To know it, just look at the 1800 fraudulent transactions that have already occurred in this breach." In the Hannaford breach, the hackers only were able to take the credit card numbers and expiration dates, according to Hannaford.
Taylor says he hears the same comment from mid-sized and smaller retailers and financial institutions - that they're too small, nobody is going to come after them because they don't have millions of transactions. "I explain to them that a lot of the initial forays to find this kind of information are done by bots. These bots don't know how large you are; they just know you have an unpatched vulnerability."
What some retailers and institutions have failed to realize is that the most valuable thing at stake after a data breach may not be money. "The big lesson for Hannaford is reputation damage control," says Nick Holland, Aite Group information security technology analyst. "All these cautionary tales that came after TJX's breach occurred must not have gotten through to them."
While the Hannaford breach is nowhere as big as TJX, Holland wonders if customers would feel any more confident in Hannaford if only a few thousand cards stolen. "Mistrust is very hard to quantify," he says. "As an end-user, a breach is a breach, no matter how many credit cards were taken. I want some evidence that this merchant has learned its lesson and is prepared to do what is required to close the cracks in the system."
Of one fact Holland is sure, "I am absolutely certain this won't be the last case we see."
The Institutions Fight Back?
Banks and credit unions again will bear the burden of costs involved with the breach. The replacement cost to reissue a card can include the actual replacement cost, as well as associated hidden costs of additional hours spent communicating with customers and loss of goodwill and confidence in the institution. In the TJX case, the retailer settled a lawsuit brought against it by financial institutions affected by the breach for $40 million. Hannaford already faces two class action lawsuits from consumers, and more filings are expected by financial institutions, notes PCI Alliance's Taylor.
John Murphy, President of the Maine Credit Union League and Synergent, says, "In this case, as is often the case in data breaches and compromises, the financial institution has done everything right, and it is the merchant who bears full responsibility of the compromise."
Murphy says the growing frequency of breaches and compromises pushed Maine Credit Union League to help draft legislation to study the effect of data security breaches, including the damages suffered as a result of these breaches on Maine credit unions and banks. The League, he says, is a strong advocate that the time has come to shift the financial burden from the financial institution to the source of the breach. "Because in the case of credit unions, every member-owner is affected by the breach."