what the fuck is the world coming to. this shit needs to be stopped. class action lawsuits. the company deserves to go bankrupt for this sort of thing

How exactly are the numbers 'stolen during the authorization process' ???
Class action? We need to remove someones nuts with a pair of salad tongs.

Lesley Stahl reported on this issue for 60 Minutes. You can watch the video

[www.cbsnews.com]

to see how the data is stolen. If the link stops working, you can search for "Hi-Tech Heist" at cbsnews.

@dotcomrade: Thanks for the link! Very useful!

Now it makes sense.

@dotcomrade: Can we have a text link, please?

Argh... I shop there all the time!

I guess if I see any crazy unauthorized purchases in the next few weeks I'll know why. >_>

Its a worm, havent you seen the movie Hackers?

@Buran: I would have posted a link to the transcript were it available online. According to the CBS News website, "Transcripts are not available on the Web." Hey, 60 minutes people, can we get a link?

The discussion about this type of fraud should include legislation that would hold the business that was breached liable for the cost not only for credit monitoring, but for the very real cost that banks are charged for replacing a significant number of cards.

In general if a business is unable to ensure or demonstrate PCI compliance, they should be held accountable when they are subject to data loss.

Then, you would see merchants take more action, before these breaches occur, at least in my view. That would also help to mitigate the need to initiate class action lawsuits - if the business was on the hook for the costs of replacing cards, maybe a provision to automatically send affected consumers new cards, or something like that - - in the face of huge potential (punative?) costs, it would motivate merchants to take preventive steps to protect their data, or so you'd think.

@Buran: Link

That video is about the TJX breaches. But it's not clear to me that this particular breach was done the same way. But it's entirely possible. Perhaps their registers were not properly encrypting the card numbers being transmitted if the theft occurred during the authorization process.

@dotcomrade: Lesley Stahl reported on this issue for 60 Minutes.
Video didn't seem that long to me.

so EXACTLY how did this breach happen? Did someone hack/tap into their system with a blackbox that stored credit card numbers for later retrieval?

Or were they using horribly outdated technology/security?

Or both?

Huh? Good God.

California lawmakers attempted to pass a law that would keep places like this from storing massive amounts of data. Arnold shot it down because he said it would be better if the companies self-regulate and that enacting these types of laws would hurt companies. The law was passed by a wide margin, and was Vetoed. I wonder how much in reputation Hannaford is going to lose because of this breach? Probably quite a bit more than if they had hired a security guy and purged their systems of unneeded data.

This is why they still make CASH!!! Unfortunately people these days are too lazy to deal with cash. As if it isnt annoying enough waiting behind a bunch of people whipping out their plastic when they could get through the line half as fast if they used cash. Maybe if this happened MORE often people would be sensible and use cash. They make cash for a reason, so use it!!

I feel bad for the customers who got hurt but am not weeping that the company got a black eye. They don't play very nice to begin with.

@Gorky: So it's our fault because we don't use cash?

Funny how all the contact information for Hannaford has disappeared from their website.

@doctor_cos: Yes, how DARE you use credit or debit? Every time you swipe that card, you're kicking Gorky's puppy!

@doctor_cos:

Yes, they make cash, use it

doh!

@doctor_cos:

Credit cards are for unforseen emergency expenses, not for a $5 lunch

@Gorky: Could you clarify on the cash issue? Are you saying that you prefer cash? Because I'm getting the feeling that you like to use cash.

Cash.

@Gorky: Got that stick shoved up pretty high, don't you?

While I'm sure in Gorkyland, you're the end all be all of what credit cards are for, the rest of the world seems to have failed to catch up to you.

I already received a notice from my Credit Union about this, although they wouldn't name names. Since I shop at Hannaford regularly and often use my debit card, I'm pretty sure that's why.

How the hell were the account numbers were stolen during authorization?

This is like the 3rd or 4th time in the last year that my personal information or account numbers been left exposed, and I'm really sick of it.

@Gorky: Actually, emergency savings accounts (filled with cash) are for emergencies : P

As the Consumerist repeatedly and ably points out, credit cards are no inherently bad. They are a financial tool that need to be used responsibly. They are especially helpful in making large ticket purchases not only because they are more convenient that carrying around $2000 in cash to buy a TV, but they typically offer purchase protection that one doesn't get by using checks.

Credit cards become most problematic when they are used to purchase items that the purchaser cannot afford. The security risks are actually quite low, as demonstrated, in part, by the fact that these breaches are major news. You are much more likely to be a victim of fraud from somebody poking around in your trash. My suggestion? Only buy what you can afford and shred your way to piece of mind.

@Gorky:
Your reserve fund is for unforeseen expenses, definitely NOT credit cards.

@doctor_cos:

Maybe Gorky has had some issues in the past with getting his first credit card.

I never use cash: using a credit card is much faster, I don't get change back, and it documents my purchases. Plus you add in my credit card/hotel points and the extended warranties when I purchase with CC, makes and using cash straight foolish. Oh, plus it helps with tax season with my year end summaries. The End.

does anyone know if this includes Sweetbay supermarkets as well?

@boxjockey68: From the linked article:

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

@scoobydoo: Thanks, naturally I saw that right after I asked, time to call my bank I guess. These companies need to learn how to be a bit more responsible, til they do I will be using cash.

My favorite supermarket security breaches are when I find other peoples' shopping lists in my cart/basket.

But SRSLY people, don't all these incompetent shenanigans just make you sad? What's happened to America? We're...mediocre. We're undertrained, overworked, and underpaid, unless we're executives, in which case we're clueless, unconcerned and overpaid. Everything is getting so low-rent. Why aren't teh technologeez making us smarter, better, richer and fresher-smelling (ok, most of do smell better than our grandparents did). We screwed over the rest of the planet with this subprime mortgage mess, and they're giving us payback by dumping our stocks and selling off our currency. Thank God for Milwaukee's Best!

Guess I'm going to the bank tomorrow. :(

@Shadowfire: Me too.

Maybe now's the time for me to set up a separate grocery account with a separate debit card.

@nequam: Yeah, due to the discussions here about safety (to me) of credit vs. debit cards, I recently got a credit card from Bank of America for my everyday plastic purchases (supermarket, drugstore, etc.), then called them to switch my full BofA debit/check card to a strictly ATM-only card:

BofA: OK sir, we can do that for you right now. I'm issuing you an ATM-only card, and we'll put that in the mail to you today.

Me: So when I get it and activate it over the phone, it will disable my present card?

BofA: Oh no sir, I'm deactivating your present card right now. You can't have them both active at the same time.

Me: Wait a minute, how will I access my account in the meantime if I have no working card until the one in the mail shows up?

BofA: I'm sorry, it's a security thing. Is there anything else I can help you with today?

Me: grrrrrrrrr.....

Thank you Consumerist for posting data breaches like this. I got stung by the VIP Tune thing, so far haven't seen anything unusual despite shopping at Hannaford's Sweetbay stores on occasion.

Something about this story doesn't make sense. From the Boston Herald version of the story ([www.bostonherald.com]) :

Hannaford, which has some two dozen Massachusetts stores, said the breach began Dec. 7 and continued until March 10.
...
However, Hannaford admitted that it first learned of the security breach nearly three weeks ago.

If the breach was discovered 3 weeks ago, how come the hole was still there last week? I find that almost more scary than the actual breach itself.

It's stories like this that make me happy that I am the guy that makes the IT choices at the small business I work for. When setting up the location I insisted on wired the whole way.

I do find it amusing that she says "within a few years it had been cracked" it was my understanding that WEP was cracked within days of existence.

Another problem with people setting up wireless networks is they pick passwords that are horribly easy. The best is to make the password horribly long and ugly then stick it physically to the router. The idea being that if an attacker has access to your router you're not going to stop them with a WPA / WPA2 pass key.

Although typing @IBpuSl?j.R@(qdFYpFJYt^0>OXqUdBXf>zHtv1U04j;#m[UFqSyM`ZTw5uGw!6 into my Wii was a bit of an excersize in pain.

I have some first hand knowledge of what happens during these sort of incidents. I was involved in the discovery, identification, and cleanup of a small scale credit card breach incident last year. In my case, it was less than 12,000 credit cards stolen. I was not responsible for the security or compliance of those systems until after the breach, and I learned quite a bit about this topic.

It appears Hannaford found out due to the level of fraud reported by customers, and not because they discovered evidence of the "hacker". Their technical and customer service team undoubtedly had to immediately sound the alarm, get senior management to take the issue seriously [sometimes difficult], make decisions, and then hire an outside investigative and forensic team to determine exactly what was going on, and and then decide how to best deal with it from a technical and business point of view. The experts then had to stop the bad guys from taking any more of the data, without crippling Hannaford's ability to transact business, AND at the same time preserve whatever forensic evidence was there so that there would any sort chance that someone might eventually be caught and convicted for these crimes. And they were most likely doing all of this while having multiple daily conference calls with the Secret Service, their credit card cleaning bank, and Visa and MasterCard.

As for exactly how it happened, I have no idea or inside knowledge, but I can offer some educated conjecture. There are many ways that they could have been attacked and penetrated, including deliberate misdeeds by trusted employees or contractors. Accomplishing a theft like this is not that hard, if you know where to attack. I'm sure a company of their size uses centralized "authorization gateways" which allow all of the cash registers in each of the stores to quickly exchange information with your credit card company or bank, and that is where the data was easiest to intercept and steal. Imagine if you will if someone had the ability to "make a photocopy" of every letter that went through your post office, without you noticing. This is roughly what the bad guys were doing with the credit card information as it was being transmitted to the bank to pay for the groceries you just purchased.

I am not too concerned about the timeliness of the notification -- three weeks is not too bad for a company their size and for all of the work that needed to be done and decisions made. You could argue that they should have notified the public sooner, but then you might have been even more upset if they initially said that the problem was only 500,000 accounts, and then later had to revise that to 4.2 million. I'd want to have as many facts as possible about what happened, if I was a company spokesperson, and it takes times to get the facts uncovered.

I spoke to their customer service tonight (I shop there at least once a week, and I am sure I am affected) and they were very clear that the ONLY information that was compromised were card numbers and expiration dates, and that they never store personally identifiable information, so there was no way for them to notify customers individually.

I do think the 1800 affected accounts are just the tip of the iceberg. What will be interesting now is to see how far Hannaford goes (or doesn't go) to "make it right" for their customers. Will they offer a sincere apology, improve their security, and give the customer's a reason to continue shopping there? Or will they spin it, attempt to place blame and minimize what happened, and fail to "make it right" for the customers? They face a true public relations nightmare. I guess we will find out soon how it is going to turn out.

Lastly, according to some reports, Hannaford was in fact "PCI Compliant" before this problem. PCI is the Payment Card Industry data security standard that all merchants who accept credit or debit cards must adhere to. If true, then that is significant. If they were PCI DSS compliant before the incident, they would be the very first company to have a data breach after achieving PCI compliance. Of course, PCI only works if they were following all of the requirements and guidelines on a daily and weekly basis. It is likely that there were some human errors made which allowed an opening to be exploited.

@Asmordean: Ha...Now we know Asmordean's Password. Now if we can just figure out where he lives...

@Gorky: So do you keep all of that cash under a mattress in your home, or do you keep it in a Bank that uses computers, and transmits your account information electronically over their network (and over the internet)? Granted, one would HOPE that the bank would encrypt all data and secure their network properly, but their IT staff is only human and I am sure that they make mistakes too...just as they are subject to internal theft from employees.

@DrGirlfriend: I believe Gorky is a professional mugger, thus the prediliction for the rest of us to carry cash.

[puppy] KICK [/puppy]

Meanwhile, time to tell my favorite bank, hey I need a new debit card pls.

Cue the wrothless free credit monitoring offer in 3... 2...

Seriously, I'd love to see one of these companies pay for a credit freeze for once.

My problem with this whole thing is that they've known for weeks but didn't inform customers at all. The news picked it up and mass broadcast it. Then the breach started in December and they did nothing. Hannaford is the closest grocery store to me (rural area), but I'll spend the extra gas money now and avoid them.

We were caught in the VA and the TJX data breech. There was lots of talk about getting everyone in the VA breech free credit monitoring. Nothing happened. The TJX breech, yea right. The way that is going we will never see anything and neither will our bank that had to reissue cards.

I am leaning more towards using cash. So far the odds of being mugged or robbed seem to be less than getting robbed by fraud.

@Gorky: They make credit & debt cards too, what's your point?

My wife had her purse stolen last October (@ Hannafords) We regularly shop there at least 2x a week. We had all new cards issued, new bank accounts, fraud alert etc.

2 weeks ago, citibank calls us on a sunday morning to ask if we had just charged $10,000.00 to Harvard University! We couldn't understand how someone had our newly issued card #. Now we know.