4.2 Million Credit Cards Exposed In Hannaford Supermarket Security Breach

A security breach at the Hannaford east coast supermarket chain has lead to the exposure of some 4.2 million credit cards. The company said it was aware of at least 1,800 cases of fraud directly connected to the breach. If you shopped at Hannaford’s from Dec. 7 to March 10., when the breach is thought to have occurred, now is a great time to close your current credit and debit cards and get new ones. Side note: when clicking around their official website we found many sub-pages are down, saying they’re currently “undergoing site maintenance.”

Breach Exposes 4.2M Credit, Debt Cards [AP] (Thanks to Rich!)

Comments

Edit Your Comment

  1. elislider says:

    what the fuck is the world coming to. this shit needs to be stopped. class action lawsuits. the company deserves to go bankrupt for this sort of thing

  2. doctor_cos wants you to remain calm says:

    How exactly are the numbers ‘stolen during the authorization process’ ???
    Class action? We need to remove someones nuts with a pair of salad tongs.

  3. dotcomrade says:

    Lesley Stahl reported on this issue for 60 Minutes. You can watch the video

    [www.cbsnews.com]

    to see how the data is stolen. If the link stops working, you can search for “Hi-Tech Heist” at cbsnews.

  4. amoeba says:

    @dotcomrade: Thanks for the link! Very useful!

    Now it makes sense.

  5. Buran says:

    @dotcomrade: Can we have a text link, please?

  6. StacMaster-S says:

    Argh… I shop there all the time!

    I guess if I see any crazy unauthorized purchases in the next few weeks I’ll know why. >_>

  7. PirateSmurf says:

    Its a worm, havent you seen the movie Hackers?

  8. dotcomrade says:

    @Buran: I would have posted a link to the transcript were it available online. According to the CBS News website, “Transcripts are not available on the Web.” Hey, 60 minutes people, can we get a link?

  9. WisconsinDadof2 says:

    The discussion about this type of fraud should include legislation that would hold the business that was breached liable for the cost not only for credit monitoring, but for the very real cost that banks are charged for replacing a significant number of cards.

    In general if a business is unable to ensure or demonstrate PCI compliance, they should be held accountable when they are subject to data loss.

    Then, you would see merchants take more action, before these breaches occur, at least in my view. That would also help to mitigate the need to initiate class action lawsuits – if the business was on the hook for the costs of replacing cards, maybe a provision to automatically send affected consumers new cards, or something like that – - in the face of huge potential (punative?) costs, it would motivate merchants to take preventive steps to protect their data, or so you’d think.

  10. johnva says:

    @Buran: Link

    That video is about the TJX breaches. But it’s not clear to me that this particular breach was done the same way. But it’s entirely possible. Perhaps their registers were not properly encrypting the card numbers being transmitted if the theft occurred during the authorization process.

  11. @dotcomrade: Lesley Stahl reported on this issue for 60 Minutes.
    Video didn’t seem that long to me.

  12. forgottenpassword says:

    so EXACTLY how did this breach happen? Did someone hack/tap into their system with a blackbox that stored credit card numbers for later retrieval?

    Or were they using horribly outdated technology/security?

    Or both?

  13. radio1 says:

    Huh? Good God.

  14. 3drage says:

    California lawmakers attempted to pass a law that would keep places like this from storing massive amounts of data. Arnold shot it down because he said it would be better if the companies self-regulate and that enacting these types of laws would hurt companies. The law was passed by a wide margin, and was Vetoed. I wonder how much in reputation Hannaford is going to lose because of this breach? Probably quite a bit more than if they had hired a security guy and purged their systems of unneeded data.

  15. Gorky says:

    This is why they still make CASH!!! Unfortunately people these days are too lazy to deal with cash. As if it isnt annoying enough waiting behind a bunch of people whipping out their plastic when they could get through the line half as fast if they used cash. Maybe if this happened MORE often people would be sensible and use cash. They make cash for a reason, so use it!!

  16. 22rifle says:

    I feel bad for the customers who got hurt but am not weeping that the company got a black eye. They don’t play very nice to begin with.

  17. doctor_cos wants you to remain calm says:

    @Gorky: So it’s our fault because we don’t use cash?

  18. thezoob says:

    Funny how all the contact information for Hannaford has disappeared from their website.

  19. Pink Puppet says:

    @doctor_cos: Yes, how DARE you use credit or debit? Every time you swipe that card, you’re kicking Gorky’s puppy!

  20. Gorky says:

    @doctor_cos:

    Yes, they make cash, use it

  21. deedrit says:

    doh!

  22. Gorky says:

    @doctor_cos:

    Credit cards are for unforseen emergency expenses, not for a $5 lunch

  23. DrGirlfriend says:

    @Gorky: Could you clarify on the cash issue? Are you saying that you prefer cash? Because I’m getting the feeling that you like to use cash.

    Cash.

  24. Pink Puppet says:

    @Gorky: Got that stick shoved up pretty high, don’t you?

    While I’m sure in Gorkyland, you’re the end all be all of what credit cards are for, the rest of the world seems to have failed to catch up to you.

  25. Grrrrrrr, now with two buns made of bacon. says:

    I already received a notice from my Credit Union about this, although they wouldn’t name names. Since I shop at Hannaford regularly and often use my debit card, I’m pretty sure that’s why.

    How the hell were the account numbers were stolen during authorization?

    This is like the 3rd or 4th time in the last year that my personal information or account numbers been left exposed, and I’m really sick of it.

  26. nequam says:

    @Gorky: Actually, emergency savings accounts (filled with cash) are for emergencies : P

    As the Consumerist repeatedly and ably points out, credit cards are no inherently bad. They are a financial tool that need to be used responsibly. They are especially helpful in making large ticket purchases not only because they are more convenient that carrying around $2000 in cash to buy a TV, but they typically offer purchase protection that one doesn’t get by using checks.

    Credit cards become most problematic when they are used to purchase items that the purchaser cannot afford. The security risks are actually quite low, as demonstrated, in part, by the fact that these breaches are major news. You are much more likely to be a victim of fraud from somebody poking around in your trash. My suggestion? Only buy what you can afford and shred your way to piece of mind.

  27. Sudonum says:

    @Gorky:
    Your reserve fund is for unforeseen expenses, definitely NOT credit cards.

  28. mynameisnate says:

    @doctor_cos:

    Maybe Gorky has had some issues in the past with getting his first credit card.

    I never use cash: using a credit card is much faster, I don’t get change back, and it documents my purchases. Plus you add in my credit card/hotel points and the extended warranties when I purchase with CC, makes and using cash straight foolish. Oh, plus it helps with tax season with my year end summaries. The End.

  29. boxjockey68 says:

    does anyone know if this includes Sweetbay supermarkets as well?

  30. scoobydoo says:

    @boxjockey68: From the linked article:

    The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

  31. boxjockey68 says:

    @scoobydoo: Thanks, naturally I saw that right after I asked, time to call my bank I guess. These companies need to learn how to be a bit more responsible, til they do I will be using cash.

  32. ChuckECheese says:

    My favorite supermarket security breaches are when I find other peoples’ shopping lists in my cart/basket.

  33. ChuckECheese says:

    But SRSLY people, don’t all these incompetent shenanigans just make you sad? What’s happened to America? We’re…mediocre. We’re undertrained, overworked, and underpaid, unless we’re executives, in which case we’re clueless, unconcerned and overpaid. Everything is getting so low-rent. Why aren’t teh technologeez making us smarter, better, richer and fresher-smelling (ok, most of do smell better than our grandparents did). We screwed over the rest of the planet with this subprime mortgage mess, and they’re giving us payback by dumping our stocks and selling off our currency. Thank God for Milwaukee’s Best!

  34. Shadowfire says:

    Guess I’m going to the bank tomorrow. :(

  35. superdewa says:

    @Shadowfire: Me too.

    Maybe now’s the time for me to set up a separate grocery account with a separate debit card.

  36. scoosdad says:

    @nequam: Yeah, due to the discussions here about safety (to me) of credit vs. debit cards, I recently got a credit card from Bank of America for my everyday plastic purchases (supermarket, drugstore, etc.), then called them to switch my full BofA debit/check card to a strictly ATM-only card:

    BofA: OK sir, we can do that for you right now. I’m issuing you an ATM-only card, and we’ll put that in the mail to you today.

    Me: So when I get it and activate it over the phone, it will disable my present card?

    BofA: Oh no sir, I’m deactivating your present card right now. You can’t have them both active at the same time.

    Me: Wait a minute, how will I access my account in the meantime if I have no working card until the one in the mail shows up?

    BofA: I’m sorry, it’s a security thing. Is there anything else I can help you with today?

    Me: grrrrrrrrr…..

  37. FLConsumer says:

    Thank you Consumerist for posting data breaches like this. I got stung by the VIP Tune thing, so far haven’t seen anything unusual despite shopping at Hannaford’s Sweetbay stores on occasion.

    Something about this story doesn’t make sense. From the Boston Herald version of the story ([www.bostonherald.com]) :

    Hannaford, which has some two dozen Massachusetts stores, said the breach began Dec. 7 and continued until March 10.

    However, Hannaford admitted that it first learned of the security breach nearly three weeks ago.

    If the breach was discovered 3 weeks ago, how come the hole was still there last week? I find that almost more scary than the actual breach itself.

  38. Asmordean says:

    It’s stories like this that make me happy that I am the guy that makes the IT choices at the small business I work for. When setting up the location I insisted on wired the whole way.

    I do find it amusing that she says “within a few years it had been cracked” it was my understanding that WEP was cracked within days of existence.

    Another problem with people setting up wireless networks is they pick passwords that are horribly easy. The best is to make the password horribly long and ugly then stick it physically to the router. The idea being that if an attacker has access to your router you’re not going to stop them with a WPA / WPA2 pass key.

    Although typing @IBpuSl?j.R@(qdFYpFJYt^0>OXqUdBXf>zHtv1U04j;#m[UFqSyM`ZTw5uGw!6 into my Wii was a bit of an excersize in pain.

  39. jlt says:

    I have some first hand knowledge of what happens during these sort of incidents. I was involved in the discovery, identification, and cleanup of a small scale credit card breach incident last year. In my case, it was less than 12,000 credit cards stolen. I was not responsible for the security or compliance of those systems until after the breach, and I learned quite a bit about this topic.

    It appears Hannaford found out due to the level of fraud reported by customers, and not because they discovered evidence of the “hacker”. Their technical and customer service team undoubtedly had to immediately sound the alarm, get senior management to take the issue seriously [sometimes difficult], make decisions, and then hire an outside investigative and forensic team to determine exactly what was going on, and and then decide how to best deal with it from a technical and business point of view. The experts then had to stop the bad guys from taking any more of the data, without crippling Hannaford’s ability to transact business, AND at the same time preserve whatever forensic evidence was there so that there would any sort chance that someone might eventually be caught and convicted for these crimes. And they were most likely doing all of this while having multiple daily conference calls with the Secret Service, their credit card cleaning bank, and Visa and MasterCard.

    As for exactly how it happened, I have no idea or inside knowledge, but I can offer some educated conjecture. There are many ways that they could have been attacked and penetrated, including deliberate misdeeds by trusted employees or contractors. Accomplishing a theft like this is not that hard, if you know where to attack. I’m sure a company of their size uses centralized “authorization gateways” which allow all of the cash registers in each of the stores to quickly exchange information with your credit card company or bank, and that is where the data was easiest to intercept and steal. Imagine if you will if someone had the ability to “make a photocopy” of every letter that went through your post office, without you noticing. This is roughly what the bad guys were doing with the credit card information as it was being transmitted to the bank to pay for the groceries you just purchased.

    I am not too concerned about the timeliness of the notification — three weeks is not too bad for a company their size and for all of the work that needed to be done and decisions made. You could argue that they should have notified the public sooner, but then you might have been even more upset if they initially said that the problem was only 500,000 accounts, and then later had to revise that to 4.2 million. I’d want to have as many facts as possible about what happened, if I was a company spokesperson, and it takes times to get the facts uncovered.

    I spoke to their customer service tonight (I shop there at least once a week, and I am sure I am affected) and they were very clear that the ONLY information that was compromised were card numbers and expiration dates, and that they never store personally identifiable information, so there was no way for them to notify customers individually.

    I do think the 1800 affected accounts are just the tip of the iceberg. What will be interesting now is to see how far Hannaford goes (or doesn’t go) to “make it right” for their customers. Will they offer a sincere apology, improve their security, and give the customer’s a reason to continue shopping there? Or will they spin it, attempt to place blame and minimize what happened, and fail to “make it right” for the customers? They face a true public relations nightmare. I guess we will find out soon how it is going to turn out.

    Lastly, according to some reports, Hannaford was in fact “PCI Compliant” before this problem. PCI is the Payment Card Industry data security standard that all merchants who accept credit or debit cards must adhere to. If true, then that is significant. If they were PCI DSS compliant before the incident, they would be the very first company to have a data breach after achieving PCI compliance. Of course, PCI only works if they were following all of the requirements and guidelines on a daily and weekly basis. It is likely that there were some human errors made which allowed an opening to be exploited.

  40. Rachacha says:

    @Asmordean: Ha…Now we know Asmordean’s Password. Now if we can just figure out where he lives…

    @Gorky: So do you keep all of that cash under a mattress in your home, or do you keep it in a Bank that uses computers, and transmits your account information electronically over their network (and over the internet)? Granted, one would HOPE that the bank would encrypt all data and secure their network properly, but their IT staff is only human and I am sure that they make mistakes too…just as they are subject to internal theft from employees.

  41. doctor_cos wants you to remain calm says:

    @DrGirlfriend: I believe Gorky is a professional mugger, thus the prediliction for the rest of us to carry cash.

    [puppy] KICK [/puppy]

    Meanwhile, time to tell my favorite bank, hey I need a new debit card pls.

  42. aikoto says:

    Cue the wrothless free credit monitoring offer in 3… 2…

    Seriously, I’d love to see one of these companies pay for a credit freeze for once.

  43. vermontwriter says:

    My problem with this whole thing is that they’ve known for weeks but didn’t inform customers at all. The news picked it up and mass broadcast it. Then the breach started in December and they did nothing. Hannaford is the closest grocery store to me (rural area), but I’ll spend the extra gas money now and avoid them.

  44. bohemian says:

    We were caught in the VA and the TJX data breech. There was lots of talk about getting everyone in the VA breech free credit monitoring. Nothing happened. The TJX breech, yea right. The way that is going we will never see anything and neither will our bank that had to reissue cards.

    I am leaning more towards using cash. So far the odds of being mugged or robbed seem to be less than getting robbed by fraud.

  45. Jaysyn was banned for: http://consumerist.com/5032912/the-subprime-meltdown-will-be-nothing-compared-to-the-prime-meltdown#c7042646 says:

    @Gorky: They make credit & debt cards too, what’s your point?

  46. phineasgage says:

    My wife had her purse stolen last October (@ Hannafords) We regularly shop there at least 2x a week. We had all new cards issued, new bank accounts, fraud alert etc.

    2 weeks ago, citibank calls us on a sunday morning to ask if we had just charged $10,000.00 to Harvard University! We couldn’t understand how someone had our newly issued card #. Now we know.

  47. FLConsumer says:

    @jlt: Thank you for posting your experiences with this type of problem.

    I still find it inexcusable that they were aware of the problem and acted so slowly. I’m sure Visa/Mastercard/the banks, along with the public’s lack of trust will make sure Hannaford doesn’t forget this incident any time soon. I’m also curious as to if Visa/MC’s fraud algorithms pinpointed Hannaford or did this slip past their systems?

    Personally, I don’t have a problem with them NOT notifying the public sooner. The last thing you want to do as a company is to admit you have a gaping security hole without it being fixed, otherwise you’re just becoming an even larger target for fraud.

  48. Chairman-Meow says:

    After the TJX incident, I did a wardrive around here in Massachusetts just to see what companies were taking steps to fix their wireless systems.

    I was shocked to find the amount of security holes I found around malls, stores, etc. If the store is using WEP encrpytion, I could (and did) crack their WEP keys in about 45 seconds.

    Good thing I’m one of the good guys. I used tools that are easily found on the intertubes to do all my wardriving needs. Imagine what a bad guy can do ?

  49. akyiba says:

    I have a choice between Hannaford, a place where even though I don’t buy meat from there I don’t see long strands of hair displayed in packages of meat on multiple occasions, or Market Basket where the strands are hair or displayed in packages of meat. I think I’ll stick with Hannaford.

    I received a new card when the whole TJX thing happened and I guess I’ll receive a new one since this happened. I hardly carry cash on me for numerous reasons. Which is why I am not an anolog girl living in a digital world.

  50. akyiba says:

    meant to say Market Basket where the strands are hair are displayed in packages of meat. I think I’ll stick with Hannaford.

  51. jlt says:

    @FLConsumer: Some reports have implied that Hannaford “self reported” the problem to Visa/MC. This is the preferable way, as the penalties and fines (imposed by Visa/MC) are higher if they figure it out first and then have to tell the merchant.

    I really don’t think three weeks from first discovery of problem to public announcement is that bad. They didn’t get the security hole plugged up until March 10, according to their press release. As you stated, they needed to get secure before they announced.

    I’ll continue to shop at Hannaford, mostly due to a lack of choices where I am (midcoast Maine). I’d rather go to Hannaford than Walmart. I already shop at the smaller local stores and farmer’s markets when possible. But if Hannaford really screws up their response to this incident, I will find more alternatives.

  52. Chairman-Meow says:

    @jlt: The Hannaford problem had been gong on for months till their customers started complaining to them. Hannaford had no clue someone had compromised their system which is a much bigger problem. You wold have thought that most retailers would have taken a hard look at their security after the TJX incident that happened almost two years ago.

    From what i am reading, all they did do to “fix” the problem was change the encryption keys……on the same devices that were hacked in the first place.

  53. Ken says:

    Good, I don’t shop there!

  54. Superawesomerad says:

    @ChuckECheese: What the hell are you talking about?

  55. B says:

    @scoosdad: You’re doing better than me. I cancelled my debit card because I used it at Hannafords, and I tried to get a regular ATM card. The CSR I talked to said I had to go to a branch and arrange it there. Per my discussion with the teller, I found Key Bank would charge me a dollar a month for the privilege of not having a debit card.

  56. bluewyvern says:

    This is really unfortunate. I don’t think Hannaford anything wrong — they were in compliance with the established security procedures for processing electronic payments, and they were compromised anyway. And they don’t keep some massive database of names that they couldn’t keep ahold of, as one or two people have suggested — it was just each transaction being scanned as it happened. (It’s a big part of Hannaford culture NOT to have those stupid loyalty cards with all your personal info — I’m a big fan.)

    And I’m not in a position to know, but I would guess they located and plugged the hole as fast as they could once they were made aware of the problem. I agree it might have been unwise to broadcast “hey, we have a gaping security breach, but we don’t know how or where!”

    If a PCI compliant system really can be silently compromised this devastatingly, this could lead to some huge issues industry-wide…scary.