TIMELINE OF HANNAFORD DATA BREACH
DEC. 7, 2007: Computer hackers breach system.
Feb. 27, 2008: Visa notifies Hannaford that a pattern of unusual credit card activity suggests the grocery chain's computers have been accessed illegally. Hannaford begins analysis, audit and investigation.
MARCH 8: Company technicians find program that is used to steal credit card numbers and remove it.
MARCH 10: Hannaford concludes breach has been contained and notifies financial institutions.
MARCH 17: Hannaford notifies customers.
BREACH BY THE NUMBERS
UP TO 4.2 MILLION credit cards and debit cards were exposed to theft.
FRAUDULENT activity has been reported on at least 1,800 cards.
THE SECURITY breach included 165 Hannaford stores in New England and New York and 106 Sweetbay stores in Florida.
THE BREACH lasted three months.
AT LEAST two lawsuits against Hannaford have been filed on behalf of customers whose cards were exposed to fraud.
The cost of replacing credit and debit cards that were compromised by the breach of Hannaford Bros. computer security will run into millions of dollars for Maine banks and credit unions, and those institutions probably will have no choice but to bear the cost.
Most financial institutions are reissuing cards for customers affected by the breach, which involved up to 4.2 million cards used at Hannaford grocery stores in the Northeast and the company's Sweetbay stores in Florida.
"The cost of reissuing cards, both debit and credit, are at the expense of the financial institution," said Chris Daudelin, president of Town & Country Federal Credit Union, which is based in South Portland.
Daudelin said his credit union expects to issue about 14,000 new cards to customers at a cost -- including administrative time, mailings to customers and the cards themselves -- of about $10 to $12 per card. That will cost Town & Country at least $140,000.
Most financial institutions have insurance for such instances, he said, but the deductibles are so high that it rarely kicks in except for a major incident. He said he's not sure whether insurance will cover any of Town & Country's costs from the Hannaford breach.
A Hannaford spokeswoman said the grocery chain has fulfilled its responsibility by identifying and fixing the breach and notifying customers, credit card companies and the financial institutions.
Hannaford doesn't have a say in deciding whether new cards should be issued or whether other steps are taken to protect customers, Carol Eleazer said.
"The banks and the credit card companies are the ones that manage the card usage," she said. "We work with them cooperatively but we don't make any calls or participate in any other way" in deciding how to deal with compromised cards.
Eleazer said Hannaford is continuing to talk to financial institutions about the security breach, but she's not aware of any asking that Hannaford share some of the costs involved.
John Murphy, president and chief executive officer of the Maine Credit Union League, said his organization estimates that its 68 member institutions will have to reissue about 150,000 cards. He said he couldn't estimate the total cost.
"There are so many variables in it," he said. "I know the cost is significant."
Murphy said many financial institutions pressured TJX last year when information on millions of customers was stolen from the retailer's computers. The company eventually agreed to pay $40.9 million to dozens of New England banks and credit unions, in addition to more than $100 million to settle a class-action lawsuit filed on behalf of consumers.
Murphy said the general practice is that banks and credit unions shoulder the costs associated with issuing new cards.
Consumers are generally calm about the situation, said Joseph Murphy, president of Bar Harbor Bank & Trust and chairman of the Maine Bankers Association.
A major reason, he said, is that consumers know they will not be held responsible for fraudulent charges on their cards. Bar Harbor Bank & Trust, he said, received hundreds of calls a day immediately after the breach was announced by Hannaford, and the number is now down to about 30 a day.
Joseph Murphy said Bar Harbor Bank estimates that 5,000 to 6,000 card numbers held by its customers might have been stolen, but only about a dozen asked for the cards to be canceled immediately, instead of waiting for the bank to send new ones.
The bank expects its upfront costs to total about $25,000, not counting some of the administrative and clerical time involved, he said.
"We don't expect to recoup any of that. We resent it," he said, but the bank doesn't see much to be gained with a lawsuit or a lot of finger-pointing.
"If financial institutions start suing over these things, it's going to be a mess," he said. "There's nothing to be gained from cross-litigating each other."
Staff Writer Edward D. Murphy can be contacted at 791-6465 or at:
emurphy@pressherald.com
Reader comments
Click here to view or add comments on this story
Were you interviewed for this story? If so, please fill out our accuracy form