Most of the time when I write about the risks for credit card data fraud, I don't expect to be writing about being personally at risk. However, with yesterday's announcement by the Hannaford supermarket chain yesterday that more than 4.1 million customers' credit or debit card information may have been exposed, I can be sure that we're in that group somewhere.
There are lots of issues with this breach that should be of concern. First, is the length of time this has been happening.According to all reports, it appears this breach has been ongoing since December and was only discovered February 27th.
Second, is the breadth of geography represented by the breach and that the breach goes beyond just Hannaford's own properties. Not only does it impact more than 250 stores in the Northeast and Florida, but, according to a statement on the Hannaford website, it also impacts "certain independently-owned retail locations in the Northeast that carry Hannaford products." As Evan Schuman on StorefrontBacktalk points out, "The fact that the breach accessed data from outside merchants that just happened to carry Hannaford products suggested something more extensive than a mere encryption hole at POS, presumably allowing the cyberthief—assuming it wasn't an inside job—to access credit and debit card data as it came into the system from other merchants, who presumably already charged the customers at their own POS."
Third, while the statement from Hannaford CEO Ron Hodge states "No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions", the reality is, according to the Portland Press Herald, there are already "1,800 fraud complaints tied to the security failure thus far." It will be interesting to determine how these 1,800 transactions were processed without some level of customer information being involved too.
The fourth disturbing element of this breach are the reports from Hannaford personnel that the data was collected at the register. "Carol Eleazer, a Hannaford spokeswoman, said thieves accessed card numbers and expiration dates as they were being transmitted for authorization in checkout lines," according to the Press Herald account. It is difficult to imagine that there were people at every checkout of all 250 plus stores for a three month period. It seems far more likely that whoever committed this crime was able to access a vulnerability in a local store system to find a way to access the companies' entire database, either at a corporate data center or an external card processor, depending on their set-up.
While this is still far smaller than the TJX breach involving more than 40 million customer accounts, it still leaves many questions to be answered about what steps major retailers are taking to help protect their customers' private information from being used maliciously.
You might want to think about paying for your groceries with paper rather than plastic for a while.
Contributed by Mark Tordoff
Comments