4.2 Million Credit & Debit Card Numbers Stolen from Hannaford
Posted by
Shannon WeidemannMarch 23, 2008 4:55 PMThe Hannaford Bros. Co. grocery store chain announced last week that the credit and debit card numbers of 4.2 Million customers had been stolen. The breach in security affected transactions at all of their stores along the east coast, as well as the Sweetbay grocery store chain in Florida.
Normally credit card and debit card numbers are stolen from a database that has been breached by hackers, in this instance though the numbers were obtained while the data was being transmitted to the bank for authorization. It may be the first credit card theft of this kind.
The credit card and debit card numbers were stolen between December 7, 2007 and March 10. No customer names and addresses were obtained. There have been 1,800 cases of fraud reported. The card numbers have been used around the world.
Payment Card Industry sets security standards for companies that handle credit card and debit card data. It is a coalition set up by credit card companies. PCI has found Hannaford to be in compliance with their security standards when an external audit was performed last month.
David Navetta, president of InfoSecCompliance LLC, a Denver law firm that concentrates on computer security and regulatory compliance, argues that Hannaford and its assessor may have been tripped up by ambiguity in the PCI standards about when companies must encrypt payment data to cloak it from outsiders.In particular, the standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment, so Navetta believes Hannaford may have erroneously felt safe leaving data unencrypted in a spot that turned out to be vulnerable.
It is unknown what encryption method, if any, that Hannaford uses while the data is being transmitted. Data encryption can slow down transactions at the register and may not be used by all businesses.
Hannaford is still investigating how and why the security breach happened. Due to the credit card and debit card fraud the U.S. Secret Service is involved in the investigation. The company has stated they do not keep customer information in a database.
Two class action lawsuits against Hannaford have been filed on behalf of the card holders involved. The lawsuit "charges the company with negligence and breach of implied contract and seeks to recover any damages that might be caused to consumers as a result of the breach."