UPDATE: The Hannaford grocery store chain announced on Monday that a network compromise had resulted in the theft 4.2 million credit- and debit-card account numbers.
The announcement came after Visa and MasterCard warned banks in the northeast United States that a breach at "a major retailer" put customer card data at risk. The intrusion affects customers of Hannaford stores, Sweetbay stores in Florida and "certain independently-owned retail locations in the Northeast that carry Hannaford products," the company said. Hannaford owns 165 stores in New England and 106 Sweetbay stores in Florida, according to the Associated Press.
"We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry," Ronald C. Hodge, president and CEO of Hannaford, said in a statement. "The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization."
Credit-card companies contacted at least 60 banks in Massachusetts alone to warn of the break-in, but did not name the retailer in their communications with the various financial firms, the Massachusetts Bankers Association said on Monday in a statement (pdf).
"Customers do not need to call their bank," Daniel J. Forte, president and CEO of the Massachusetts Bankers Association, said in the statement. "If cards need to be replaced, consumers will be notified by their bank. In the event that fraud does occur due to a data breach, even though our banks did not cause this breach, the banks will hold each customer harmless, refunding any lost money."
The total number of credit and debit accounts put at risk by data breaches reported in 2007 reached an all-time high. Among the major breaches made public, retail giant TJX Companies announced that online thieves had stolen at least 46.5 million records in a compromise of its systems that had lasted nearly 18 months. The size of the breach reached more than 94 million, according to testimony given by Visa and Mastercard executives in August. MBA's member banks had sued TJX to recover the costs of replacing customers' cards put at risk by the breach. The banks and retailer settled in December, with the retailer promising to dole out a total of $41 million to any banks affected by the breach.
Card companies are not required to release the names of companies that have leaked or lost credit-card information. Bank associations, including the MBA, support legislation to require the name of the processor or retailer to be released.
Hannaford has reported the breach to law enforcement authorities, Hodge said in his statement.
UPDATE: Information from Hannaford's announcement on Monday was added to the news brief.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos