Hannaford Bros. data-security breach

Published 12:00 am Wednesday, December 2, 2009

When hackers obtained payment card data from Food Lion sister grocer Hannaford Bros., it may have been the first publicly known breach of a merchant compliant with the Payment Card Industry data-security standard.”We were certified (as PCI-compliant) last spring and we were recertified in February,” Carol Eleazer, Hannaford vice president of marketing, told the Digital Transactions News for a report Wednesday.
Some 4.2 million credit and debit card numbers were exposed in the breakdown that happened sometime between Dec. 7 and March 10. About 1,800 cases of fraud are believed linked to the breach.
The card numbers and expiration dates were intercepted during the authorization process, which means it could have come as data moved between cash registers and servers. Payment Card Industry standards require encryption of data in transit.U.S. Secret Service and other experts are investigating the breach.
Merchants often don’t disclose breaches involving payment card data. “This is the first publicly disclosed breach of data in transit, and there may be more to come,” payment security researcher Avivah Litan of Stamford, Conn.-based Gartner Inc., told Digital Transactions News.
Belgium-based Delhaize Group’s Delhaize America Inc. unit includes Food Lion, Hannaford and other grocery chains.
A spokeswoman said Food Lion, which wasn’t affected by the incident, abides by the Payment Card Industry’s strictest security standards.
The breach involved all 165 Hannaford Bros. stores in New England and New York, 106 stores in Florida of corporate affiliate Sweetbay, and some independent grocery stores in the Northeast that carry Hannaford products.