Hannaford Got Hacked
posted by
1970s Abraham Lincoln
posted
3/18/2008 11:05:47 AM
Be sure to check your credit and debit card statements if you've (ever?) shopped at Hannaford. 
The supermarket chain announced yesterday that their network has been breached, and that credit and debit card numbers have been stolen:
Dear Customer:
Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.
We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.
The intrusion affected Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.
For more than 125 years, Hannaford has been dedicated to earning customer trust, and we want to provide you with these recommended steps:
- Carefully review your financial institution and credit card statements, and immediately contact your credit card company or issuing bank with any questions or concerns about individual charges.
- For more information or with questions, please call our Customer Information Center at 866-591-4580.
Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected. We also alerted law enforcement authorities, and are working closely with them to help identify those responsible.
We realize this incident may raise concerns and questions for our customers, and we sincerely regret any inconvenience this attack on our system may cause you. As always, we appreciate you choosing to shop at Hannaford. We remain committed to providing you with the finest foods and a clean, friendly and secure shopping experience.
Sincerely,
Ronald C. Hodge
President and CEO
Hannaford
Missing from the official statement is any indication of when the breach took place, or how many months (or years) of data was stolen. So for the sake of safety, assume that if you've ever used a credit or debit card at a Hannaford store, your information may have been stolen. Furthermore, there's no indication that the breach even happened this year. TJX waited months to announce that their customer data had been stolen.
Particularly troubling for me, though, is this statement:
The stolen data was limited to credit and debit card numbers and
expiration dates, and was illegally accessed from our computer systems
during transmission of card authorization.
When a credit card is swiped, the information stored on the magnetic strip is passed to the card processor. This is not just the card number and expiration date - it includes the cardholder's name and other data (including the CVV number required for telephone and internet transactions). I'm not sure how they reconcile this with the statement that "No personal information, such as names or addresses, was accessed." Hopefully we'll see a full accounting of the intrusion (including dates of transactions affected) in the coming days.
Update: Unofficially, the story is that the hack was discovered in late February, and affects transactions made since the first of the year.
Tags: hannaford, bad network security
- Archive Link