Friday, December 6, 2013
Experts who are examining the Hannaford security breach, in which 4.2 million debit- and credit-card numbers were exposed to scammers, say the way the information was stolen could represent a new trend.
Several noted that the information was stolen while in transit, instead of while sitting in storage.
According to the Hannaford Web site, the ''data was illegally accessed from Hannaford's computer systems during the card verification transmission process in transactions.''
No other information was available from Hannaford or the Secret Service, which is investigating the crime.
''To me, this is the first publicized case of a new trend in data stolen in transit,'' said Avivah Litan, vice president and security analyst for Gartner Inc., a technology research group with headquarters in Stamford, Conn.
''I think we're going to see a lot more of this in 2008 and 2009,'' Litan said. ''Up until now, Visa has been working really hard to drive sensitive authentication out of data storage, and they've been largely successful. But that means that criminals have to turn to stealing data in transit.''
Hannaford said 4.2 million debit- and credit-card numbers were exposed between Dec. 7 and March 10. There was a report of fraudulent activity on 1,800 unique cards as of Monday, but a running tally of all fraud associated with the case is not being kept, Hannaford officials said Wednesday.
Hannaford already has been hit with two lawsuits filed on behalf of consumers whose credit and debit card numbers were compromised as a result of a major security breach.
A Philadelphia law firm, Berger & Montague, said it filed suit Wednesday in U.S. District Court in Portland, alleging that the supermarket chain was negligent for failing to provide adequate security for computer data.
The firm said the breach has exposed Hannaford customers to the risk of fraud, forcing them to monitor their accounts and dispute fraudulent charges.
A similar lawsuit filed in U.S. District Court in Bangor named Melinda Ryan as lead plaintiff. Carol Eleazer, Hannaford vice president of marketing, said the company has not been served with any complaints and had no comment.
Other consumers, meanwhile, were still wondering how such a security breach could have occurred.
Litan described several possible ways, including theft of a system password by a contractor that maintains the system, and collusion between organized crime and a person authorized to access the system.
A typical grocery store point-of-service transaction involves swiping a credit or debit card. In such a transaction, Litan said, the card information does not have to be encrypted because it is in a private network. But it is supposed to be transmitted over an encrypted line.
On the other hand, information put into a public network, during an online purchase, must be encrypted.
Thieves have been able to use stolen debit cards without the PIN numbers by treating them like credit cards, experts said.
The good news for consumers is that the Hannaford breach represents identity ''fraud,'' as opposed to the more serious identity ''theft,'' in which criminals can open up new lines of credit based on stolen personal information, according to Robert Richardson, director of the San Francisco-based Computer Security Institute, an association of computer security professionals.
''In this case, they've got your number, but they're not stealing your identity. They're stealing your money,'' Richardson said. ''Once someone puts a stop on that number, they're out of the soup, or should be.''
A thief can use a card even without a name, according to experts.
The information on a card's magnetic strip includes the card number, the expiration date and hidden security codes, all of which are transmitted during a transaction. A thief can use that information even without having the card and the three- or four-digit security number that is printed on it, she said.
''If you are the perpetrator here, you want to make small purchases lickety-split because as soon as the banks figure it out, they'll close it down, or they'll start watching those numbers,'' Richardson said.
Gartner Inc., the technology research company, plans to issue a written analysis this week about the Hannaford breach, with suggestions on how retailers can protect themselves against similar thefts.
A draft of the analysis includes a suggestion that merchants spend a few hundred dollars to upgrade card readers so that all data is encrypted before it enters the system.
Although consumers are generally protected from loss by their financial institutions, it is troubling to have someone access your bank account through a debit card theft, said Litan, the Gartner analyst.
Customers must fill out affidavits and paperwork to recoup debit card losses, Litan said.
Consumers who promptly report any suspicious transactions will be reimbursed by their financial institutions, but under Visa rules, Hannaford will be liable for any direct fraud losses, Litan said.
The financial institutions pay the cost of customer service associated with the data theft.
''(Hannaford) will take a hit for this,'' Litan speculated. ''The banks aren't going to sit back and pay for it.''
If the thieves captured the data as it was transferred, there will be questions of whether it was legal to transmit that data unencrypted, said Richardson.
Some companies must encrypt data before it is transmitted, he said.
Data does not need to be encrypted on a server, which is why data thieves have tended to target stored data, he said.
Staff Writer Noel K. Gallagher can be contacted at 282-8226 or at:
-- The Associated Press contributed to this report