enlarge

WHAT TO DO

• Monitor credit card and debit card statements and alert the issuer to unusual transactions.

•Be wary of e-mail and telephone calls from people claiming to represent Hannaford seeking personal information.

•For complete protection, close the credit/debit card and have another one issued.

•For credit card disputes: Call the institution that issued the card within 60 days of the date of the unauthorized charge appearing on the statement. Within that time frame, a consumer is still responsible for up to $50 of a disputed charge. Follow up with a letter referencing the phone call.

•For debit card disputes: Contact the issuing agency within 48 hours of discovering the disputed charge. Within that time frame, consumers are still responsible for up to $50. If a customer notifies the financial institution after 48 hours, the customer's liability goes up to $500. Consumers who fail to contact the financial institution could be liable for the entire amount.

Marie Kane's checking account took a $1,500 hit on Monday, courtesy of a debit card, a scam artist and, she believes, a recent visit to the Hannaford Bros. supermarket on Forest Avenue.

Kane, of Portland, is one of thousands of shoppers feeling the impact of a three-month security breach at Hannaford supermarkets throughout the Northeast and at its stores in its sister chain, Sweetbay, in Florida.

The breach exposed 4.2 million debit- and credit-card numbers to scammers, who Kane said used her card number twice, racking up a total of $1,504.39 in charges at a CVS Pharmacy in New Jersey.

She discovered the fraud Tuesday when she called her debit-card issuer in response to news reports about the security breach. A representative from the company's fraud department told Kane about the CVS charges, canceled her card and began the process of crediting her bank account.

Kane is having second thoughts about using her debit card at the supermarket again.

"In the long run, look what happens," she said.

Hannaford customers worried that their financial information was compromised in the theft of millions of credit card and debit card numbers should, like Kane, take steps immediately to protect themselves, officials said Tuesday.

News of the breach prompted a huge increase in calls from worried patrons to local banks and credit unions, according to trade organizations. Officials emphasized that customers -- and not the financial institutions -- had to be the ones to look over their financial statements to identify any possible fraud.

"The best detective that we have right now is the consumer who says, 'That's not my charge!'" said Chris Pinkham, president of the Maine Association of Community Banks, a trade association.

The investigation continued on several fronts Tuesday. A Secret Service Financial Crimes Task Force based in Boston continued to investigate, while Mainers were notifying card issuers of unusual activity. In turn, those agencies were notifying banks and financial institutions of potentially compromised cards.

At least one institution, Town and Country Federal Credit Union, said it had been notified by Visa that about 8,000 debit cards were involved in the breach, although none had reported any fraudulent activity. The credit union planned to cancel and reissue all of those cards.

As more customers check their records, more reports of potential fraud are coming in, according to Pinkham.

"Last week it was just a handful but they just keep rolling in," he said. "The numbers just exploded over the weekend, and until consumers look at their statements and determine fraudulent transactions, it's hard for us to get a handle on this."

Hannaford officials said the card numbers were exposed to theft from Dec. 7 to March 10. As of early Monday, there had been fraudulent activity on 1,800 unique credit or debit cards, according to company spokeswoman Carol Eleazer. An updated number was not available Tuesday.

Eleazer said individual financial institutions are now handling reports of fraudulent activity, and there is no central reporting agency keeping a running tally of all fraud.

Hannaford, based in Scarborough, said the compromised cards had been used in transactions at all 165 Hannaford stores it operates, plus 106 Sweetbay stores in Florida and 23 independently run stores that use Hannaford operating systems. Hannaford Bros. is owned by Belgium's Delhaize Group.

The card number theft is one of the largest reported security breaches for a Maine-based retailer. But it is relatively small compared with the most frequently cited breach: the theft of data last year at TJX Cos., which includes TJ Maxx stores, in which at least 45.7 million cards were exposed to possible fraud.

Still, Hannaford has many stores, and news of the online theft had some customers worried.

"It...