Skip to main content

Class Actions Take Aim at Hannaford in Wake of Data Breach

The Philadelphia law firm of Berger & Montague, PC said it filed a class action this week in the U.S. District Court for the District of Maine on behalf of all U.S. consumers whose credit card or debit card data was stolen from the computer network of Hannaford supermarkets.

According to the complaint, Hannaford was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker.

"Because of Hannaford's inadequate data security, its customers have had their personal financial information compromised, have been exposed to the risk of fraud, have incurred and will continue to incur time to monitor their accounts and dispute fraudulent charges, and have otherwise suffered damages," said Berger & Montague, which served as co-lead counsel in a class action against TJX Cos., Inc, owner of TJ Maxx, Marshalls, A.J. Wright, and HomeGoods, in a case relating to the largest reported theft of credit card information in history. That case has been settled, with the settlement awaiting approval before the court.

Another case was filed by Bangor, Maine-based attorney Samuel Lanham Jr. on behalf of Hannaford customer Melinda J. Ryan, a Bangor resident, and unnamed others, seeking compensation for the breach itself, according to published reports.

Hannaford manager of internal communication Michael Norton declined to comment on the present litigation, citing longstanding company policy.

Hannaford had posted a letter earlier this week on its Web site explaining that there was a "data intrusion into its computer network that resulted in the theft of consumer credit and debit card numbers." The data was accessed from Hannaford's computer system "during transmission of card authorization," according to the letter, which was signed by company c.e.o. Ron Hodge.

The breach involved all Hannaford stores in New England, as well as sister banner Sweetbay Supermarket stores in Florida.

Published news reports said that 4.2 million unique credit and debit card numbers were exposed to potential fraud, although there have only been about 1,800 cases of reported credit and debit card fraud relating to the breach.

According to press reports, the breach began on Dec. 7, 2007 and wasn't contained until March 10, 2008. Hannaford said that it became aware of the breach on Feb. 27, 2008, although it didn't make a public announcement until nearly three weeks later, on March 17.

When asked about the lag between the discovery of the breach and the public announcement, Hannaford's Norton explained to Progressive Grocer that the company was faced with "a lot to work on, and a lot to work through," as the issue presented a "fair amount of complexity" requiring a "day-and-night effort" to contain.

According to Norton, Hannaford's "first indication" of unusual credit card activity was followed by "aggressive, immediate investigation," which still continues. The authorities and data security experts were called in "within a very short period of time" after the Feb. 27 discovery, he said.

When the full scope of the problem was apparent to Hannaford, the retailer was then able to inform its shoppers accurately about the data intrusion, and would continue to talk to them on the subject, noted Norton.
This ad will auto-close in 10 seconds