Supermarket Data Breach Exposed 4.2 million Cards to Hackers

A grocery store operator said Monday that hackers broke into its card approval system in the Northeast U.S. and Florida causing about 4.2 million credit and debit card accounts to be exposed to people outside the network.

Scarborough, Maine-based Hannaford Bros. Co. said that consumer card information from all of its 165 stores in New England and New York and 106 Sweetbay-branded stores in Florida was exposed in a period from December 7, 2007 to March 10. A number of smaller independent stores in the Northeast that carry Hannaford products and use the company’s network were also impacted.

A Hannaford spokesperson told the Associated Press that the card information was exposed during the approval process, an exposure of only seconds. The company said that 1,800 customers had already reported fraud on their cards.

Hannaford also emphasized that only card numbers were stolen; no personal consumer information, such as names or addresses, was exposed.

The U.S. Secret Service is investigating the case but has yet to comment on it. The Secret Service, historically an arm of the Treasury Department but now under the Homeland Security Department, is responsible for investigating electronic crimes involving money.

Hannaford also said that as a retailer that accepts card payments, it adheres to secutiry standards outlined by the PCI Security Standards Council. The spokesperson noted that a similar breach involving TJX Company stores last year (“TJX Says 45.7 million Credit Card Numbers Stolen in Breach,” March 30, 2007) involved an access point on a wireless network but that Hannaford does not use wireless systems in its card processing.