|
The technology upon which America’s credit-happy house of cards is built is under attack. Citizens in a vast swath of the eastern United States, including all of New York State and the Hudson Valley, are still reeling from the massive and unprecedented data stream thievery of their credit and debit card account numbers and expiration dates from 4.2 million transactions made at Hannaford Brothers Companies stores over a three-month period starting on Dec. 7, 2007, the 66th anniversary of the Japanese attack on Pearl Harbor. Although the actual number of successful thefts of data is unknown, an investigation has revealed that upwards of 2,000 actual cases of recent fraud can be traced to the breach. The U.S. Secret Service is investigating.
Hannaford has issued a general directive exhorting customers who think they may have swiped a credit or debit card at a Hannaford store between December 7, 2007 and March 10, 2008 to check with their financial institutions and go over their statements relating to the period with a fine-toothed comb. Locally, some banks taken the extraordinary step of contacting each of the customers they believe are impacted, collecting and destroying their cards and re-issuing new ones. Rhinebeck Savings Bank, for example, has just completed such a process. “We do take it quite seriously. I can’t speak for other banks, of course, but the Rhinebeck Savings Bank takes a very proactive approach to that,” said the company’s president and CEO, Michael J. Quinn. “Whenever we get notified that there has been a data breach involving our debit cards, we make the effort to contact each of those customers by phone, as well as sending them a letter. And we actually cancel those debit cards and reissue new ones within a week or 10 days. As soon as we’re notified, we have a team of people within the organization who handle things like that. They did a wonderful job.
“We had about 1,500 this time. It’s a big impact on us when these commercial firms do not protect their data well enough.”
To Quinn’s knowledge, none of the bank’s customers were actually victimized with a fraud. He does not yet know exactly what the new card issuance cost the bank, but said it is a significant effort.
Not your grandfather’s identity theft
After news of the security breach originally broke three weeks ago, even more disturbing revelations continued into last week. In an update with national and international repercussions, news organizations from the Boston Globe to Computerworld reported on Friday, March 28 that this was no ordinary scam, but rather the opening of a chilling new chapter in the war between hackers and an increasingly vulnerable online payment industry. The Globe reported that Hannaford’s general counsel, Emily D. Dickinson, alerted government officials of a “new and sophisticated” methodology employed by the thieves, in which copies of software called “malware” were secretly installed on servers at every one of the company’s 300-odd grocery stores in New England, New York State and Florida. Dickinson’s letter is quoted as saying that the insidious software then “mined” data from one particular source: “track 2” information gleaned from the magnetic strips of cards as they were swiped at the chain’s checkout counters, as the information was “in transit for authorization from the point of sale” to one of the remote institutions used by Hannaford to process its in-store transactions. While the track in question, wrote Dickinson, includes each card’s account number and expiration date, it does not include customer’s names or other identifying information. The swiped data was then stored by the malware in batches right on each supermarket’s unsuspecting server, Dickinson’s letter is quoted in the Globe as saying, before being transmitted “to an unnamed offshore Internet service provider.”
According to the Associated Press, the company has so far been hit with a pair of class action lawsuits related to the breach. The first was filed by a Philadelphia law firm, Berger & Montague, in U.S. District Court in Portland, Me., and alleges that the Hannaford was negligent for “failing to provide adequate security for computer data.” The second, filed in U.S. District Court in Bangor, Me., names Melinda Ryan as lead plaintiff.
Damage control
Scarborough, Maine-based Hannaford’s corporate team is doing its best to mitigate the damage, trying to sound reassuring while providing worried customers with up-to-date information as to what the problem was and what steps they might have to take. In a message on the company’s Web site, Hannaford president and CEO Ron Hodge was contrite and to the point. “I want to apologize for the concern and inconvenience this has caused you,” he wrote. “We have stopped this theft and brought in top security experts to help us guard against any further attacks.” This, according to Computerworld, included replacing every one of its 300-plus in-store servers.
Hodge’s missive closed with a list specifying what justifiably worried customers should do, short of joining in a class action lawsuit:
“• If you used a debit or credit card at Hannaford between December 7, 2007 and March 10, 2008, your card number may have been exposed. No personal data such as names or addresses were accessed or obtained.
“• Carefully review your financial institution and credit card statements beginning with December’s statement. Contact your credit card company or issuing bank with concerns about suspicious charges.
“• Though policies and practices of financial institutions vary, consumers in general are protected against unauthorized transactions as long as the charges can be verified as fraudulent and are reported within the required time period. Some customers may experience extraordinary out-of-pocket expenses associated with card replacement, which we will evaluate on a case-by-case basis.
“• Financial institutions will make their own decisions about appropriate actions, which may include reissuing new cards or putting the card numbers on alert for fraud.
“• It is important to know that no one from Hannaford or from any financial institution will ever contact a customer to verify personal or account information over the phone or Internet.
“• For more information or with questions, please call our Customer Information Center at (866) 591-4580.”
One thing the company will not do is alert individuals if their information was stolen in the intrusion. This, according to the Hannaford Web site, is because the company doesn’t collect or store personal information. “We are not able to send letters directly to potentially affected customers because we do not have their names and addresses,” states the disclaimer. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions. However, we are committed to providing useful information to our customers and answering any questions they may have.”
In Dutchess County, Hannaford stores are in 35 Hannaford Dr. in Red Hook; 152 Stringham Road in LaGrangville and 1490 Route 9 in Wappingers Falls.
