Hannaford and Sweetbay supermarkets announce compromise of 4.2 million credit and debit cards
Technorati Tag: Security Breach
Date Reported:
3/17/08
Organization:
Delhaize Group
Contractor/Consultant/Branch:
Hannaford Bros. Co
Sweetbay Supermarket
Victims:
Customers of Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.
Number Affected:
4,200,000
Types of Data:
Credit card and debit card information
Breach Description:
"New England grocery chain Hannaford Brothers says a security breach has exposed 4.2 million customer credit- and debit-card numbers to scammers, with 1,800 fraud cases already reported." Anyone who used a credit or debit card between December 7, 2007 and March 10, 2008 at any one of the 165 Hannaford stores in the Northeast or 106 Sweetbay stores in Florida is a potential victim of this breach.
Reference URL:
Message from Hannaford CEO Ron Hodge
The Boston Herald
The Boston Globe
PC World
Report Credit:
Hannaford Bros. Co.
Response:
From the online sources cited above:
BOSTON -- Two grocery store chains -- Hannaford Bros. and Sweetbay Supermarket -- both owned by Belgium-based Delhaize Group SA, suffered a credit-card data breach, the companies said Monday.
Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.
exposed about 4.2 million credit and debit card numbers
about 1,800 cases of fraud have been tied to the breach
[Evan] This is probably a hint as to how Hannaford became aware of the breach. I am guessing that Hannaford was clueless until investigators contacted them.
evidence of unauthorized uses of card data have surfaced in Houston, Detroit, San Francisco, France and Brazil.
We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.
[Evan] Their information security is "among the strongest in the industry"? Here is a hint as to how the information was illegally obtained, "during transmission of card authorization".
The intrusion affected Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.
Hannaford operates 165 stores in the Northeast. There are 106 Sweetbay supermarkets in Florida.
the breach began on Dec. 7 and continued until last Monday.
Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected. We also alerted law enforcement authorities, and are working closely with them to help identify those responsible.
the U.S. Secret Service is investigating the possibility that Track 2 data -- including PIN numbers and expiration dates contained on credit cards -- were compromised
We realize this incident may raise concerns and questions for our customers, and we sincerely regret any inconvenience this attack on our system may cause you. As always, we appreciate you choosing to shop at Hannaford. We remain committed to providing you with the finest foods and a clean, friendly and secure shopping experience.
[Evan] This will be my understatement of the day, "We realize this incident may raise concerns and questions for our customers". You think? The banks are probably a little torqued too!
Commentary:
This is going to be another legal battle. State and/or federal legislators are going to want more laws and regulations. The consumers are caught in the middle, and the banks are going to want their money back. 4.2 million credit and debit card numbers heisted over a three month period is pretty hard to explain away.
How do you suppose the data was captured by thieves? I know that Hannaford claims "during transmission of card authorization", but where? Was the data captured while it was in transit over a public network? The Payment Card Industry Data Security Standard (PCI DSS) states:
"Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit."
It's hard for Hannaford to claim they didn't know.
I sincerely hope that the statement "our systems, which we believe, are among the strongest in the industry", isn't true. If it is, then we are in for a lot more breaches like this one, and more regulations to comply with.
This breach reminds me of a conversation I had a few years ago with the head of information security for a top 10 US bank. He complained to me for ten minutes about how he was being forced to spend three million dollars to encrypt data data between ATMs and central processing. He claimed that the bank doesn't really have to be "secure", it only needs to be more secure that the next guy. Believe it or not, he is still the head of security at the same bank. Oy vey.
Past Breaches:
Unknown
Date Reported:3/17/08
Organization:
Delhaize Group
Contractor/Consultant/Branch:
Hannaford Bros. Co
Sweetbay Supermarket
Victims:
Customers of Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.
Number Affected:
4,200,000
Types of Data:
Credit card and debit card information
Breach Description:
"New England grocery chain Hannaford Brothers says a security breach has exposed 4.2 million customer credit- and debit-card numbers to scammers, with 1,800 fraud cases already reported." Anyone who used a credit or debit card between December 7, 2007 and March 10, 2008 at any one of the 165 Hannaford stores in the Northeast or 106 Sweetbay stores in Florida is a potential victim of this breach.
Reference URL:
Message from Hannaford CEO Ron Hodge
The Boston Herald
The Boston Globe
PC World
Report Credit:
Hannaford Bros. Co.
Response:
From the online sources cited above:
BOSTON -- Two grocery store chains -- Hannaford Bros. and Sweetbay Supermarket -- both owned by Belgium-based Delhaize Group SA, suffered a credit-card data breach, the companies said Monday.
Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.
exposed about 4.2 million credit and debit card numbers
about 1,800 cases of fraud have been tied to the breach
[Evan] This is probably a hint as to how Hannaford became aware of the breach. I am guessing that Hannaford was clueless until investigators contacted them.
evidence of unauthorized uses of card data have surfaced in Houston, Detroit, San Francisco, France and Brazil.
We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.
[Evan] Their information security is "among the strongest in the industry"? Here is a hint as to how the information was illegally obtained, "during transmission of card authorization".
The intrusion affected Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.
Hannaford operates 165 stores in the Northeast. There are 106 Sweetbay supermarkets in Florida.
the breach began on Dec. 7 and continued until last Monday.
Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected. We also alerted law enforcement authorities, and are working closely with them to help identify those responsible.
the U.S. Secret Service is investigating the possibility that Track 2 data -- including PIN numbers and expiration dates contained on credit cards -- were compromised
We realize this incident may raise concerns and questions for our customers, and we sincerely regret any inconvenience this attack on our system may cause you. As always, we appreciate you choosing to shop at Hannaford. We remain committed to providing you with the finest foods and a clean, friendly and secure shopping experience.
[Evan] This will be my understatement of the day, "We realize this incident may raise concerns and questions for our customers". You think? The banks are probably a little torqued too!
Commentary:
This is going to be another legal battle. State and/or federal legislators are going to want more laws and regulations. The consumers are caught in the middle, and the banks are going to want their money back. 4.2 million credit and debit card numbers heisted over a three month period is pretty hard to explain away.
How do you suppose the data was captured by thieves? I know that Hannaford claims "during transmission of card authorization", but where? Was the data captured while it was in transit over a public network? The Payment Card Industry Data Security Standard (PCI DSS) states:
"Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit."
It's hard for Hannaford to claim they didn't know.
I sincerely hope that the statement "our systems, which we believe, are among the strongest in the industry", isn't true. If it is, then we are in for a lot more breaches like this one, and more regulations to comply with.
This breach reminds me of a conversation I had a few years ago with the head of information security for a top 10 US bank. He complained to me for ten minutes about how he was being forced to spend three million dollars to encrypt data data between ATMs and central processing. He claimed that the bank doesn't really have to be "secure", it only needs to be more secure that the next guy. Believe it or not, he is still the head of security at the same bank. Oy vey.
Past Breaches:
Unknown
Posted by Evan Francen at 3/17/2008 11:44 PM 
Categories: Sweetbay Supermarket, Data in Transit, Delhaize Group, Hannaford Bros. Co
Categories: Sweetbay Supermarket, Data in Transit, Delhaize Group, Hannaford Bros. Co
Posts Atom 1.0
Evan: Legally speaking, we can't expect the PCI to keep pace with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. --Ben
Reply to this