Experts who are examining the Hannaford security breach, in which 4.2 million debit- and credit-card numbers were exposed to scammers, say the way the information was stolen could represent a new trend.

Several noted that the information was stolen while in transit, instead of while sitting in storage.

According to the Hannaford Web site, the "data was illegally accessed from Hannaford's computer systems during the card verification transmission process in transactions."

No other information was available from Hannaford or the Secret Service, which is investigating the crime.

"To me, this is the first publicized case of a new trend in data stolen in transit," said Avivah Litan, vice president and security analyst for Gartner Inc., a technology research group with headquarters in Stamford, Conn.

"I think we're going to see a lot more of this in 2008 and 2009," Litan said. "Up until now, Visa has been working really hard to drive sensitive authentication out of data storage, and they've been largely successful. But that means that criminals have to turn to stealing data in transit."

Hannaford said 4.2 million debit- and credit-card numbers were exposed between Dec. 7 and March 10. There was a report of fraudulent activity on 1,800 unique cards as of Monday, but a running tally of all fraud associated with the case is not being kept, Hannaford officials said Wednesday.

Consumers, meanwhile, were still wondering how such a security breach could have occurred.

Litan described several possible ways, including theft of a system password by a contractor that maintains the system, and collusion between organized crime and a person authorized to access the system.

A typical grocery store point-of-service transaction involves swiping a credit or debit card. In such a transaction, Litan said, the card information does not have to be encrypted because it is in a private network. But it is supposed to be transmitted over an encrypted line.

On the other hand, information put into a public network, during an online purchase, must be encrypted.

Thieves have been able to use stolen debit cards without the PIN numbers by treating them like credit cards, experts said.

The good news for consumers is that the Hannaford breach represents identity "fraud," as opposed to the more serious identity "theft," in which criminals can open up new lines of credit based on stolen personal information, according to Robert Richardson, director of the San Francisco-based Computer Security Institute, an association of computer security professionals.

"In this case, they've got your number, but they're not stealing your identity. They're stealing your money," Richardson said. "Once someone puts a stop on that number, they're out of the soup, or should be."

A thief can use a card even without a name, according to experts.

The information on a card's magnetic strip includes the card number, the expiration date and hidden security codes, all of which are transmitted during a transaction. A thief can use that information even without having the card and the three- or four-digit security number that is printed on it, she said.

"If you are the perpetrator here, you want to make small purchases lickety-split because as soon as the banks figure it out, they'll close it down, or they'll start watching those numbers," Richardson said.

Gartner Inc., the technology research company, plans to issue a written analysis this week about the Hannaford breach, with suggestions on how retailers can protect themselves against similar thefts.

A draft of the analysis includes a suggestion that merchants spend a few hundred dollars to upgrade card readers so that all data is encrypted before it enters the system.

Although consumers are generally protected from loss by their financial institutions, it is troubling to have someone access your bank account...