The Hannaford Brothers grocery chain has received a lot of attention during the last week. On March 18, the Boston Globe reported:
"Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency."
There's no getting around the fact that 4.2 million debit card and credit card numbers are a lot. Not as much as the TJX/TJ Maxx breach and data security debacle, but a lot nonetheless. Hannaford's response:
"A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken..." In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization."
During the transmission? An MSNBC report on March 20 seemed to best explain this:
"While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit. "Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway."
Okay, I get it: identity criminals are computer-savvy and smart enough to find holes in computer systems to hack into. The criminals are also fast: within a month they generated at least 1,800 reports of identity and credit card fraud. The MSNBC article also highlighted two important points about the Hannaford data breach. First:
"But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval."
"... that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.
This is important because:
"The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security."
The MSNBC article added:
"... the [PCI] standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment... Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process."
That's just peachy. First, the rules aren't strong enough to guarantee compliance. Second, the rules are loose enough to allow retailers to cut corners and not encrypt our sensitive personal data throughout the retailers' entire data transmission process. Why?
"But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware."
One industry expert emphasized as a solution:
"... the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions would remove 75 to 90 percent of the fraud in the system."
"A retailer's [PCI] compliance status matters: The penalties for noncompliance are significant, and the card brands can fine the retailer while also raising the transaction fees levied for each credit or debit card transaction. A finding of noncompliance also will be potent ammunition for inevitable lawsuits. The big loser: consumers."
Yes, we consumers are the big loser. We consumers end up paying:
- Higher credit card fees and/or higher interest rates from credit card issuers to cover their expenses to issue replacement cards and accounts. While identity theft victims enjoy the $50 credit card liability limit, credit card issuers cover their identity theft expenses by charging higher fees and rates to all credit card holders
- Higher banking fees, because banks must issue replacement debit cards and accounts. A few generous banks may also replace the stolen monies. Banks charge higher fees, and fees on a wider range of transactions, to cover their identity theft expenses, too.
In my opinion, the consequences and fines to retailers still aren't severe enough. In both scenarios above, the companies pass along their increased costs to consumers. While replacement credit cards with $50 maximum liability is great, one year of free credit monitoring for identity theft victims isn't enough.
The good news just kept coming. More stores were affected by the Hannaford breach. Also on March 20, the Albany Times Union reported:
"Independent stores in Ravena and Schaghticoke affiliated with Hannaford were also affected by the recent hacking of customer credit card numbers, the Scarborough, Maine-based supermarket chain said today. The company’s Web site lists more than 20 independents around the Northeast that had credit card information stolen as a result of the security breach. Hannaford supplies the Ravena and Schaghticoke stores, which operate under the Shop ‘n Save name, but does not own them. In September, Hannaford purchased formerly independent stores in West Sand Lake and Voorheesville."
Several class-action lawsuits have already been filed against Hannaford in New Hampshire, Maine and Pennsylvania. What's a consumer to do?
- Contact your bank and credit card issuer, if you shopped and paid with plastic at Hannaford between Dec. 7, 2007 and March 10, 2008.
- If you continue to shop at Hannaford, use your credit card and not a debit card to get the best protections. Or use cash.
- If you are a Hannaford identity theft victim, read closely any correspondence you receive from the company. File a police report for any monies stolen or abuse of your financial accounts. Place a Fraud Alert on your credit reports. Monitor your credit reports closely for abuse, since criminals may use your stolen personal data to try to take out new credit in your name. If Hannaford offers free credit monitoring, accept their offer if you don't already have a credit monitoring service. Watch the news to see if you qualify for any of the class-action lawsuits.
- Read the I've Been Mugged blog. During the coming weeks, I will post on this blog reviews of several credit monitoring services. There is a link in the top of the right column to sign up for alerts via e-mail.