Hannaford Data Breach Exposes More Than 4 Million Cards

The Hannaford supermarket chain confirmed on Monday a "data intrusion" during payment authorization transmissions that exposed some 4.2 million credit and debit cards and led to 1,800 reported cases of fraud thus far.

During the breach, "no personal information, such as names or addressed, was accessed or obtained" but the breach did expose customer credit and debit card numbers along with their expiration dates, said Hannaford CEO Ronald Hodge.

[On Thursday, another Hannaford official changed that position, confirming that the CVV card verification codes were also taken. Michael Norton, manager of internal communications at Hannaford, reiterated, though, that no Track 1 data was apparently taken.]

"Hannaford was first made aware of unusual credit card activity on Feb. 27 and immediately initiated a comprehensive investigation," the statement said. The breach, though, began a couple of months earlier, back on Dec. 7, 2007, according to officials involved in the probe.

Hodge said in a statement that "Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions."

Some inconsistencies remain. (See What Did Hannaford Know And When Did It Know It news analysis.) One company official said the frauds using the stolen information—at least those that have been identified thus far—did not occur online, in an attempt to explain why the frauds could have happened without the cyberthieves having stolen the Card Verification Value (CVV) code on the back of most credit cards.

Most data thieves like to steal the data from in-store—the Willie Sutton strategy of going where the money is—but to use the stolen data to buy goods online, where anonymity rules. But many E-Commerce sites require the CVV for online purchases.

The most popular in-store fraud mechanism is creating bogus credit cards with the stolen data, but that would often require more information than just credit or debit number and the expiration data.

The Wall Street Journal reported that the U.S. Secret Service is "investigating the possibility" (let's not nitpick that no one really needs to investigate a certainty) that PINs (from debit cards, presumably) were also accessed.

And, yes, it wouldn't be much of a retail data breach if wireless wasn't dragged in. The Journal accommodates: "A person familiar with the inquiry said investigators are looking into the possibility that the breach occurred in Hannaford's wireless system for transmitting data between the card-swiping machine and a computer server."

The Hannaford statement that the "intrusion impacted Hannaford stores in New England and New York state and Sweetbay stores in Florida. Also affected are certain, independently-owned retail locations in the Northeast that carry Hannaford products."

One Hannaford employee said those independent locations act similar to franchisees, in that they are not owned by Hannaford by they use Hannaford's POS systems and networks.

The 27,000-employee chain of Hannaford Bros. Co. is based in Scarborough, Maine, and operates 165 stores under the Hannaford Supermarket and Hannaford Supermarket and Pharmacy names. An affiliated chain, Sweetbay Supermarket, based in Tampa, operates 106 stores in Florida. Both companies are owned by Delhaize Group of Brussels, Belgium.

Although many similarities exist between this data breach and last year's infamous TJX incident—which exposed more than 100 million cards over the multiple years, in the credit card industry's worst-ever data breach—there is reportedly one key difference. Digital Transactions News quoted the head of Hannaford marketing as saying that the chain had been certified PCI compliant. "We were certified [as PCI-compliant] last spring and we were recertified in February." (See The Hannaford PCI Fallout column.)

The Wall Street Journal quoted that same Hannaford executive--Carol Eleazer—as touting that Hannaford had just last year upgraded its POS encryption (although it didn't say to what) and that "the upgrade was completed about a week before the incident is believed to have taken place." (That's perfect for one of those CFO-briefing good news bad news jokes: "Good news, boss. We finished our upgrade just in time. The bad news: it didn't help.")

The DTN quoted Eleazer as being more specific, saying that it was their wireless encryption that had been upgraded in 2007.

Although we couldn't secure details of those changes from Hannaford, Verifone Holdings issued a statement early last year—on Jan. 15, to be precise—that it had sold Hannaford its MX830, a model that Verifone described as its "entry point" for the line at that time.

Verifone officials did not initially reply to a request for an interview, with one representative saying they were hesitant to be quoted in a story about Hannaford at this time, due to sensitivities. But their statement from last year did provide some hints about Hannaford's payment setup.

"A key requirement for Hannaford's payment solution selection was the ability to integrate the MX830 with the WinEPS Electronic Payments software from MTXEPS, Inc. WinEPS is a payment engine that provides electronic payment options that range from Debit and Credit transactions, to EBT, gift card and check authorization," that 2007 Verifone statement said. MTXEPS President Jon Elwood was quoted saying: "We are looking forward to working with VeriFone and Hannaford in this migration to the next-generation payment platform."

Hannaford uses First Data for their card processing.