Hannaford hackers steal credit card data from supermarket chain, Sophos offers advice

March 18, 2008 Sophos Press Release

Following a security breach which has exposed 4.2 million credit and debit card numbers belonging to supermarket customers, IT and security firm Sophos has urged consumers to check their statements for unauthorized transactions, and advised businesses to ensure that they are doing everything they can to ensure PCI compliance.

Sophos has issued the advice following the announcement by the Hannaford Bros. supermarket chain that hackers gained access to details of credit cards used by customers between December 2007 and early March 2008. Hannaford has 165 grocery stores in the New England area of the USA. Another affected highstreet name, Sweetbay, has 106 supermarkets in Florida. According to media reports, the Secret Service is investigating and approximately 1800 fraud cases have already been reported as a result of the incident.

Hannaford says it discovered the data breach on 27 February 2008
Hannaford says it discovered the data breach on 27 February 2008.

"Hannaford and its customers are victims of a criminal heist. All big businesses must defend their systems from these kind of intrusions or risk undermining customer confidence. Consumers, meanwhile, need to keep a close eye on their credit card accounts and raise a flag if there are unexpected debits which could be the work of fraudsters. The concern is that with 'fresh' credit card numbers and expiry dates in circulation, crimes may continue to be committed against those unfortunate enough to have had their data stolen," said Graham Cluley, senior technology consultant at Sophos. "This isn't about entering your credit card details on a dodgy website, but a case where you hand over your card to a cashier in a store that you would normally trust to look after your data. Potentially affected consumers should watch their card statements like a hawk, and other businesses should take this as a wake-up call to ensure that they have strong security in place to avoid a similar incident happening to them."

Sophos experts note that this is not the first time a well-known retail chain has had credit card information stolen from it.

"This hack may not be as huge as the TJMaxx data breach which exposed up to 100 million credit cards, but it is still serious for those who may be impacted," continued Cluley. "Thankfully it appears that on this occasion address and other contact details were not also acquired by the criminals, but people should not disregard the potential for more attempts at fraud."

Credit and debit card customers who might be affected by the data breach are advised by Sophos to take the following steps:

  • Carefully review the statements for their debit and credit cards for unauthorized transactions. Open your statements promptly, and compare your receipts to your billing statements.
  • If you detect any unauthorized or suspicious use of your card, contact your credit card issuer or issuing bank immediately. By law, you will have no liability for unauthorized use if your credit card number, but not the card itself, has been stolen.

Hannaford has set up a special telephone number for customers who have questions or concerns about the security incident: 866-591-4580.