Skip to main content

Technology Trends Alert: Hannaford Hacked

The Hannaford data breach goes to show retailers that PCI Compliance is not an invincible shield, and even systems managed by one of the industry’s top c.i.o.s can fall prey to a determined hacker. Indeed, the incident, which was caused by a data intrusion into Hannaford's network, has led retail and technology experts to question the validity of the data security standards.

The breach, which took place between Dec. 7 and March 10, affected all 165 Hannaford stores, as well as 106 Sweetbay Supermarket stores in Florida, a sister Delhaize chain; and certain independent operators that sell Hannaford items.

 What’s unique about the Hannaford incident is that breach is the first massive theft of credit and debit card numbers while the information was in transit. This has also raised the question of who owns the data, as technically it was en route to the banks for approval when it was stolen.
At least 1,800 cases of fraud have come to light as a result of the breach, which was caused by malware secretly installed on its servers. The grocer has become the target of several class actions filed on behalf of consumers. This is one area where being PCI-compliant will help, as it supports the argument that Hannaford wasn’t negligent, much the same way that a retailer that can demonstrate a regular maintenance and cleaning schedule will seldom lose a slip and fall case.

The Payment Card Industry Data Security Standard was put in place by major credit card brands to make sure retailers take sufficient steps to protect customers' financial data. Mandated by major card brands including Visa, MasterCard, American Express, and JPMorgan Chase, it requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and the use of firewalls and antivirus software.

Hannaford customers demonstrated mixed reactions to the breach. Reader reactions in comments on the Maine Today Web site were mixed, with some locals loyally taking the company's side, and others accusing it of performing poorly both in terms of security and post-incident public relations.

"I'll stick with Hannaford," noted one commenter. "It could have happened to any company."

Identity theft facts:
  • The 2006 victim population was at 15 million. That means every minute about 28.5 people become a new victim of this crime, or a new victim is added in just over two seconds.
  • The top states in terms of victims per capita are: New York, California, Nevada, Arizona, Washington, and Texas. The Id Analytics study 2007 includes Hawaii, Illinois, Oregon, and Michigan. The FTC 2006 report includes Florida, Georgia, and Colorado.

Source: The Identity Theft Resource Center
Related Stories from Progressive Grocer Online:

Hannaford's Apology on Data Breach Hits Stores

'Malware' Said at Fault for Hannaford Breach

Class Actions Take Aim at Hannaford in Wake of Data Breach

Hannaford, Sweetbay Victims of Data Breach

Man Sentenced in Stop & Shop Keypad-tampering Case; Deportation Likely

Grocer Brothers Plead Guilty in $1 Million Coupon Scam

FMI and LifeLock Team Up to Fight Shopper Identity Theft

Fourth Stop & Shop Suspect Strikes Plea Deal

Retailers Reach Record in Losses Due to Theft and Fraud

Three Stop & Shop Fraud Suspects Enter Guilty Plea

Plea Bargain in In-store Keypad Fraud Case

Second Pin Pad Identity Theft Hits Save Mart-owned Albertsons Stores

WinCo Warns of Possible Credit Card Theft at Calif. ATMs

PIN Pad Theft Suspects Now Face Federal Charges

Suspects Charged in Stop & Shop EFT Theft Case Might Be Part of Ring

Four Arrested in Stop & Shop EFT Tampering Case

Related Links:
This ad will auto-close in 10 seconds