retail news in context, analysis with attitude

The Wall Street Journal this morning reports that two Delhaize-owned US companies, Hannaford Bros. and Sweetbay Supermarkets, have been hit by a credit card breach that exposed as many as 4.2 million cards to the potential of fraud. To this point, the company has identified about 1,800 specific cases of fraud related to the breach, with the unauthorized use of cards in places as disparate as Houston, Detroit, San Francisco, France and Brazil.

In a letter to shoppers posted on Hannaford’s website, CEO Ron Hodge wrote:

“Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.

“We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.

“The intrusion affected Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.

For more than 125 years, Hannaford has been dedicated to earning customer trust, and we want to provide you with these recommended steps:

• “Carefully review your financial institution and credit card statements, and immediately contact your credit card company or issuing bank with any questions or concerns about individual charges.

• “For more information or with questions, please call our Customer Information Center at 866-591-4580.

“Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected. We also alerted law enforcement authorities, and are working closely with them to help identify those responsible.”

On the Sweetbay site, there is an additional caution to consumers:

“Criminals take advantage of situations like this to try to obtain personal information like credit and debit card numbers, PINS and social security and driver's license numbers. We will not send emails asking for personal information or call you to confirm your personal information. If you receive an email that appears to be from Hannaford or one of our stores, or a telephone call from someone claiming to be a representative of Hannaford or one of our stores, do not provide any personal information (including credit or debit card number, social security number, or driver's license). If you suspect you have received such a ‘hoax’ email or call, please report it to us, using our toll-free number.”

According to the Journal, it is believed that the breach took place on December 7. “A person familiar with the inquiry said investigators are looking into the possibility that the breach occurred in Hannaford's wireless system for transmitting data between the card-swiping machine and a computer server,” the Journal writes. “Security experts have identified wireless transmissions as a particular vulnerability for retailers.

“Last year Hannaford Bros. upgraded the encryption system for its credit-card and computer networks to one that is more difficult for outsiders to crack. The system is recommended by major credit-card associations, and the upgrade was completed about a week before the incident is believed to have taken place.”

The Boston Globe this morning notes that “the intrusion is only the latest to strike a large retailer and comes amid growing scrutiny of the payments industry, which faces tough proposed rules on how customer information is handled. Concern over the issue crystallized last year following the theft of up to 100 million customer card numbers from Framingham retailer TJX Cos. Also last year, four men from Southern California received prison sentences after pleading guilty to US charges they stole payment information at checkout counters at Stop & Shop Supermarket Cos. stores in Rhode Island.”

And, the Globe writes, “What could make the Hannaford case unusual is that since last spring its stores have met industry standards regarding how customer data is stored and maintained … Many other retailers victimized by breaches, including TJX, had been faulted for lax security.”

The Globe continues: “Banks have previously complained that Visa and MasterCard system rules put too many of the costs of dealing with data breaches on financial institutions. Yesterday, before Hannaford's disclosure, the Massachusetts Bankers Association said in a statement that up to 70 banks in Massachusetts had been warned by MasterCard and Visa of a data breach at a major retailer between Dec. 7 and March 10, but that the credit card firms had not named the retailer. Not long afterward, Hannaford came forward. A representative for Visa said executives wouldn't comment. A MasterCard spokesman didn't respond to questions.”

KC's View:
Beyond the obvious importance of this story from a journalistic point of view, when I first saw the reporting this morning I immediately thought about the fact that I used my debit card while shopping at a Hannaford store late last fall. So I’m thinking I’d better take a second look at my statements.

That said, job one at Hannaford and Sweetbay is to reassure and advocate for shoppers. I think they’re doing a pretty good job, and other retailers should pay attention … because it seems likely that these kinds of problems are eventually going to get everybody and every company.

Life in the 21st century simply ain’t simple.