Kathy Shaw never used to think twice about using her debit card. However, that was before March 17 – when the Hannaford Bros. supermarket chain announced a three-month breach in its security system, resulting in the theft of 4.2 million credit and debit card numbers.

“I canceled my cards, and changed my prescriptions to Rite Aid,” said Shaw, a Westbrook resident. “I won’t go there now, unless I have cash.”

Shaw’s sentiments have been rippling through the public ever since Hannaford’s announcement of the massive security breach that affected all its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. According to Carol Eleazer, vice president of marketing for the Scarborough-based Hannaford, numbers were stolen during the card authorization transmission process. No personal information, such as customer names or addresses, was accessed, she said. The breach was discovered Feb. 27.

“Our security system is state of the art, but obviously as a result we will be auditing our system and making changes,” Eleazer said.

Mike Berger, senior editor for The Griffin Report of Food Marketing, a trade publication covering the New England food industry, said shoppers’ faith in Hannaford likely would be shaken due to the breach.

“You have to put yourself in the customers’ shoes,” Berger said. “If your card was broken into, would you feel secure?”

Eleazer said it’s too soon to tell if the company is losing business.

“Customers have been very generous in their understanding,” she said.

But shoppers Tuesday morning were critical of the supermarket chain.

“I think they kept the situation under wraps for three or four months and they should have actually responded to it in a timely manner,” said Westbrook resident Paul Troutman. “I really believe they should have divulged the information to the public sooner to gain the public’s trust rather than trying to keep it a secret then doing damage control. It just doesn’t seem like their response was fast enough.”

Berger, at The Griffin Report, said, “I can’t really say if they’re doing it right. We’re blazing new ground here.” Berger said.

The only other food-related data breach that he said he was aware of stemmed from a 2007 credit and debit card number theft at Stop ‘n Shop in Connecticut. But it was on a much smaller scale and law enforcement officials had arrested suspects within a week.

“I think it will happen again,” Berger said. “It’s like Russian Roulette. Do you trust your card? Pay with cash? It’s a value judgment that each customer has to come to grips with.”

Four class action lawsuits have been filed in U.S. District Court in Portland and one in Bangor and as a result of the breach, with two of the lead plaintiffs living in Maine.

At least one of the complaints filed accused Hannaford of not adhering to Payment Card Industry (PCI) data security standards, an industry-accepted mode of securing credit and debit card information. Although Eleazer would not comment directly on the accusation due to the ongoing litigation, she said Hannaford was certified as PCI compliant just last month.

Even so, the fact that the system was breached is worrisome for Hannaford, according to Glenn Boyet, the director of marketing and communications for PCI, based in Wakefield, Mass.

“The impact can be fairly substantial in loss of business,” Boyet said. When a security breach occurs, “people perceive it as not a good place to shop.”

Greg Palmer, a customer advocate with Gorham Savings Bank, said Monday he’d received many calls from concerned members with questions regarding the breach, although he was unable to specify the exact number. Palmer said Hannaford provided the bank with a list of accounts that were exposed and all of them were closed.

Chris Pinkham, president of the Maine Association of Community Banks, said each banking institution would handle the breach of their customers’ information differently. He said some banks may choose to re-issue all debit cards, while others may not. Customers would not be held financially responsible for any fraud that is confirmed to be part of the breach, he said.

Meanwhile, Ron Kramer, who owns the company All Computer Solutions in Portland, said that, as an “industry observer” for some 30 years, he is not sitting in judgment of Hannaford.

“I’m not shocked at all,” he said. “Breaches occur all the time. But they’re usually handled internally because companies don’t want to publicize their mistakes.”

Digital technology, Kramer said, is a young industry – only 30 or 40 years old. It’s still evolving, and he believes that more businesses are going to face security problems.

“Companies are going to run into situations like Hannaford’s,” he said.

Shoppers wary in wake of Hannaford data breach


Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.

filed under: