Following a security breach which has exposed 4.2 million credit
and debit card numbers belonging to supermarket customers, IT and
security firm Sophos has urged consumers to check their statements
for unauthorized transactions, and advised businesses to ensure
that they are doing everything they can to ensure PCI compliance.
Sophos has issued the advice following the announcement by the
Hannaford Bros. supermarket chain that hackers gained access to
details of credit cards used by customers between December 2007 and
early March 2008. Hannaford has 165 grocery stores in the New
England area of the USA. Another affected highstreet name,
Sweetbay, has 106 supermarkets in Florida. According to media
reports, the Secret Service is investigating and approximately 1800
fraud cases have already been reported as a result of the
Hannaford says it discovered the data breach on
27 February 2008.
"Hannaford and its customers are victims of a criminal heist.
All big businesses must defend their systems from these kind of
intrusions or risk undermining customer confidence. Consumers,
meanwhile, need to keep a close eye on their credit card accounts
and raise a flag if there are unexpected debits which could be the
work of fraudsters. The concern is that with 'fresh' credit card
numbers and expiry dates in circulation, crimes may continue to be
committed against those unfortunate enough to have had their data
stolen," said Graham
Cluley, senior technology consultant at Sophos. "This isn't
about entering your credit card details on a dodgy website, but a
case where you hand over your card to a cashier in a store that you
would normally trust to look after your data. Potentially affected
consumers should watch their card statements like a hawk, and other
businesses should take this as a wake-up call to ensure that they
have strong security in place to avoid a similar incident happening
Sophos experts note that this is not the first time a well-known
retail chain has had credit card information stolen from it.
"This hack may not be as huge as the TJMaxx data
breach which exposed up to 100 million credit cards, but it is
still serious for those who may be impacted," continued Cluley.
"Thankfully it appears that on this occasion address and other
contact details were not also acquired by the criminals, but people
should not disregard the potential for more attempts at fraud."
Credit and debit card customers who might be affected by the
data breach are advised by Sophos to take the following steps:
- Carefully review the statements for their debit and credit
cards for unauthorized transactions. Open your statements promptly,
and compare your receipts to your billing statements.
- If you detect any unauthorized or suspicious use of your card,
contact your credit card issuer or issuing bank immediately. By
law, you will have no liability for unauthorized use if your credit
card number, but not the card itself, has been stolen.
Hannaford has set up a special telephone number for customers
who have questions or concerns about the security incident: