The breach was discovered in late February when a payment card clearinghouse notified Hannaford of an unusual number of payment card transactions. Hannaford transmits its data over phone lines and uses encrypted wireless communications to transmit numbers inside its stores. The hackers snatched the credit/debit card data sometime between when the customers swiped their cards in the reader at the register and when those transactions were approved.
According to news reports, Hannford's security measures met industry standards with regard to how data is stored and maintained (unlike the TJX breach, which was blamed on lax security). Experts are anticipating that this may be just the first of many cases to surface this year wherein the affected retailer was hacked even though it appeared to be following all of the security rules laid out by the credit card associations.
Cybertrust's Bryan Sartin said,
"[We have] found with a number of very recent compromises that attackers have seized control over the very terminals that control cash registers or point-of-sale systems within a retail store, or the server through which all registers connect to pass transaction data out across the Internet to the store's payment processor." Once these systems have been compromised, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.Kevin Mandia, president of Mandiant Corp., a company that specializes in investigating data breaches, said, "We're seeing at least two new companies a week discovering that they've lost credit card numbers, and at the rate we're going [the criminals] are going to exhaust U.S. retailers as targets.."
To date, about 2,000 cases of fraud have been reported in the Hannaford/Sweetbay breach. The company is asking that consumers contact them with questions or information about their data being used fraudently at 866-591-4580.
Each of you should be regularly reviewing your financial institution and credit card statements, and immediately contacting your credit card company or issuing bank with any questions or concerns about individual charges. If you are concerned that your credit/debit card data has been compromised, you may file a fraud alert on your credit report by calling one (just one) of the three major credit bureaus:
Equifax: 1-800-525-6285
Experian: 1-888-397-3742
TransUnion: 1-800-680-7289
The fraud alert is good for 90 days. Once you place a fraud alert on your credit report, you will receive information via mail about ordering one free credit report from each of the companies. You may want to wait a month before ordering the report as it may take some time for suspicious activity to appear on the report.
