Shopper Charlotte Hanson of Casco assessed in four words what many local Hannaford Brothers shoppers were feeling this week.

“It’s kind of scary,” said Hanson, 69, about news a three-month breach in the company security system resulted in the theft of 4.2 million credit and debit card numbers.

Hanson, who said she canceled her credit cards, added she was disturbed by the slow response of Hannaford.

Hannaford Brothers announced March 17 the massive security breach that affected all its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

According to Carol Eleazer, vice president of marketing for the Scarborough-based Hannaford, numbers were stolen during the card authorization transmission process. No personal information, such as customer names or addresses, was accessed, she said. The breach was discovered Feb. 27.

“Our security system is state of the art, but obviously as a result we will be auditing our system and making changes,” Eleazer said.

Mike Berger, senior editor for The Griffin Report of Food Marketing, a trade publication covering the New England food industry, said shoppers’ faith in Hannaford likely would be shaken due to the breach.

“You have to put yourself in the customers’ shoes,” Berger said. “If your card was broken into, would you feel secure?”

Eleazer said it’s too soon to tell if the company is losing business.

“Customers have been very generous in their understanding,” she said.

But shoppers Tuesday morning were critical of the supermarket chain.

“I think they kept the situation under wraps for three or four months and they should have actually responded to it in a timely manner,” said Westbrook resident Paul Troutman. “I really believe they should have divulged the information to the public sooner to gain the public’s trust rather than trying to keep it a secret then doing damage control. It just doesn’t seem like their response was fast enough.”

Berger, at The Griffin Report, said, “I can’t really say if they’re doing it right. We’re blazing new ground here.” Berger said.

The only other food-related data breach that he said he was aware of stemmed from a 2007 credit and debit card number theft at Stop ‘n Shop in Connecticut. But it was on a much smaller scale and law enforcement officials had arrested suspects within a week.

“I think it will happen again,” Berger said. “It’s like Russian Roulette. Do you trust your card? Pay with cash? It’s a value judgment that each customer has to come to grips with.”

Four class action lawsuits have been filed in U.S. District Court in Portland and one in Bangor and as a result of the breach, with two of the lead plaintiffs living in Maine.

At least one of the complaints filed accused Hannaford of not adhering to Payment Card Industry (PCI) data security standards, an industry-accepted mode of securing credit and debit card information. Although Eleazer would not comment directly on the accusation due to the ongoing litigation, she said Hannaford was certified as PCI compliant just last month.

Even so, the fact that the system was breached is worrisome for Hannaford, according to Greg Boyet, the director of marketing and communications for PCI, based in Wakefield, Mass.

“The impact can be fairly substantial in loss of business,” Boyet said. When a security breach occurs, “people perceive it as not a good place to shop.”

Greg Palmer, a customer advocate with Gorham Savings Bank, said Monday he’d received many calls from concerned members with questions regarding the breach, although he was unable to specify the exact number. Palmer said Hannaford provided the bank with a list of accounts that were exposed and all of them were closed.

Chris Pinkham, president of the Maine Association of Community Banks, said each banking institution would handle the breach of their customers’ information differently. He said some banks may choose to re-issue all debit cards, while others may not. Customers would not be held financially responsible for any fraud that is confirmed to be part of the breach, he said.

Meanwhile, Ron Kramer, who owns the company All Computer Solutions in Portland, said that, as an “industry observer” for some 30 years, he is not sitting in judgment of Hannaford.

“I’m not shocked at all,” he said. “Breaches occur all the time. But they’re usually handled internally because companies don’t want to publicize their mistakes.”

Digital technology, Kramer said, is a young industry – only 30 or 40 years old. It’s still evolving, and he believes that more businesses are going to face security problems.

“Companies are going to run into situations like Hannaford’s,” he said.

At least one customer remained unfazed by the breaches or future cyber predations.

David Hook, a retired economist who lives in Denmark, was still using his credit card at the Hannaford store in Bridgton this week. He said the relative risk to any customer is so low he wasn’t worried that his information was leaked.

“I looked at the millions of credit and debit card numbers taken,” said Hook, “And the number of fraudulent claims.” He said he calculated the risk to be several decimal places below 1 percent.

Another shopper said he would stick by his tried-and-true methods.

“I try not to use debit cards,” said Larry Shackley, 61, of Bridgton. “I find cash works everywhere.”

Reporter Michael Hartwell contributed to this story.

Copy the Story Link