Hannaford Data Breach Exposes More Than 4 Million Cards

Written by Evan Schuman
March 17th, 2008

The Hannaford supermarket chain confirmed on Monday a "data intrusion" during payment authorization transmissions that exposed some 4.2 million credit and debit cards and led to 1,800 reported cases of fraud thus far.

During the breach, "no personal information, such as names or addressed, was accessed or obtained" but the breach did expose customer credit and debit card numbers along with their expiration dates, said Hannaford CEO Ronald Hodge.

[On Thursday, another Hannaford official changed that position, confirming that the CVV card verification codes were also taken. Michael Norton, manager of internal communications at Hannaford, reiterated, though, that no Track 1 data was apparently taken.]

"Hannaford was first made aware of unusual credit card activity on Feb. 27 and immediately initiated a comprehensive investigation," the statement said. The breach, though, began a couple of months earlier, back on Dec. 7, 2007, according to officials involved in the probe.

Hodge said in a statement that "Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions."

Some inconsistencies remain. (See What Did Hannaford Know And When Did It Know It news analysis.) One company official said the frauds using the stolen information—at least those that have been identified thus far—did not occur online, in an attempt to explain why the frauds could have happened without the cyberthieves having stolen the Card Verification Value (CVV) code on the back of most credit cards.

Most data thieves like to steal the data from in-store—the Willie Sutton strategy of going where the money is—but to use the stolen data to buy goods online, where anonymity rules. But many E-Commerce sites require the CVV for online purchases.

The most popular in-store fraud mechanism is creating bogus credit cards with the stolen data, but that would often require more information than just credit or debit number and the expiration data.

The Wall Street Journal reported that the U.S. Secret Service is "investigating the possibility" (let’s not nitpick that no one really needs to investigate a certainty) that PINs (from debit cards, presumably) were also accessed.

And, yes, it wouldn’t be much of a retail data breach if wireless wasn’t dragged in. The Journal accommodates: "A person familiar with the inquiry said investigators are looking into the possibility that the breach occurred in Hannaford’s wireless system for transmitting data between the card-swiping machine and a computer server."

The Hannaford statement that the "intrusion impacted Hannaford stores in New England and New York state and Sweetbay stores in Florida. Also affected are certain, independently-owned retail locations in the Northeast that carry Hannaford products."

One Hannaford employee said those independent locations act similar to franchisees, in that they are not owned by Hannaford by they use Hannaford’s POS systems and networks.

The 27,000-employee chain of Hannaford Bros. Co. is based in Scarborough, Maine, and operates 165 stores under the Hannaford Supermarket and Hannaford Supermarket and Pharmacy names. An affiliated chain, Sweetbay Supermarket, based in Tampa, operates 106 stores in Florida. Both companies are owned by Delhaize Group of Brussels, Belgium.

Although many similarities exist between this data breach and last year’s infamous TJX incident—which exposed more than 100 million cards over the multiple years, in the credit card industry’s worst-ever data breach—there is reportedly one key difference. Digital Transactions News quoted the head of Hannaford marketing as saying that the chain had been certified PCI compliant. "We were certified [as PCI-compliant] last spring and we were recertified in February." (See The Hannaford PCI Fallout column.)

The Wall Street Journal quoted that same Hannaford executive–Carol Eleazer—as touting that Hannaford had just last year upgraded its POS encryption (although it didn’t say to what) and that "the upgrade was completed about a week before the incident is believed to have taken place." (That’s perfect for one of those CFO-briefing good news bad news jokes: "Good news, boss. We finished our upgrade just in time. The bad news: it didn’t help.")

The DTN quoted Eleazer as being more specific, saying that it was their wireless encryption that had been upgraded in 2007.

Although we couldn’t secure details of those changes from Hannaford, Verifone Holdings issued a statement early last year—on Jan. 15, to be precise—that it had sold Hannaford its MX830, a model that Verifone described as its "entry point" for the line at that time.

Verifone officials did not initially reply to a request for an interview, with one representative saying they were hesitant to be quoted in a story about Hannaford at this time, due to sensitivities. But their statement from last year did provide some hints about Hannaford’s payment setup.

"A key requirement for Hannaford’s payment solution selection was the ability to integrate the MX830 with the WinEPS Electronic Payments software from MTXEPS, Inc. WinEPS is a payment engine that provides electronic payment options that range from Debit and Credit transactions, to EBT, gift card and check authorization," that 2007 Verifone statement said. MTXEPS President Jon Elwood was quoted saying: "We are looking forward to working with VeriFone and Hannaford in this migration to the next-generation payment platform."

Hannaford uses First Data for their card processing.


One Comment | Read Hannaford Data Breach Exposes More Than 4 Million Cards

  1. Randy Carr Says:

    This unfortunate situation seems to validate the differences between compliance with PCI standards and a truly secure payment system. The PCI DSS is an excellent place to start for anyone looking for insight into what the card brands feel are best practices related to payment system security. However, it has been and will remain my opinion that when it comes to protecting credit card information in the merchant environment, stronger measures would equate to building higher walls around the data….hackers and thieves will ultimately show up with “taller ladders”.

    Had the credit card data been removed BEFORE it entered the POS and been replaced with an electronic Token, this could have all been avoided. The idea being…”They can’t steal what you don’t have”.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.