The ability of thieves to embed software on the computers of hundreds of Hannaford Bros. supermarkets to divert credit card numbers to an overseas Internet service shows that data security must evolve continually to keep pace with the latest threats, industry observers say.

The Scarborough-based company's reaction to the security breach suggests that laws in Maine and elsewhere also may need to change to keep up, according to government regulators.

New details emerged this week about how the thieves were able to steal the credit and debit card numbers of potentially millions of customers from a system certified as meeting the credit-card industry's rigid standards for security at businesses that do vast numbers of transactions.

The company described the attack on its data security as "novel and sophisticated." Those in the computer security industry say it shows the need for constantly evaluating and updating security and security standards.

"We know the bad guys are pretty smart and getting smarter," said Glenn Boyet, a spokesman for PCI Security Standard, an entity created by the major credit-card companies to develop and maintain a data security compliance program.

"Standards will evolve and they have evolved," said Boyet, noting that he had no direct knowledge of the Hannaford breach or security responses to it.

Hannaford says now that "malware" – industry shorthand for malicious software – showed up on servers at each of the nearly 300 Hannaford and affiliated supermarkets in New England, New York and Florida.

The company doesn't know whether the software was downloaded to the servers from a remote location, said Hannaford spokeswoman Carol Eleazer.

Maine Assistant Attorney General Linda Conti, who is tracking the Hannaford data breach, said Hannaford and the Secret Service briefed her on the investigation.

Conti said she was told that the data breach began as a single message that was sent to a single location. Then it multiplied and went to multiple locations, she said.

The program intercepted card numbers and expiration dates while they were being sent from the store to the credit-card company for authorization. The program then occasionally would transmit a batch of credit-card numbers and expiration dates to an offshore Internet service provider, the company said.

The data theft began no earlier than Dec. 7 and ended no later than March 10, a period in which 4.2 million credit and debit cards were exposed to theft. However, the company believes the actual number stolen was much lower.

Before the news became public, 1,800 card numbers had been used fraudulently, although the number has grown significantly since then.

The company has replaced the hardware that was infected with the malicious software and made sure no versions of the software remain on company systems.

Hannaford senior vice president and general counsel Emily D. Dickinson faxed a letter containing the details to the office of Massachusetts Attorney General Martha Coakley and the Massachusetts Office of Consumer Affairs and Business Regulation.

The letter also states that Hannaford was certified as meeting payment-card industry standards a year ago, and again as recently as Feb. 27.

Typically, a major retailer such as Hannaford would demonstrate compliance by hiring an outside "qualified security assessor." The timing of the certification suggests that the data theft was going on even as the data security system was being approved.

"Law enforcement officials and others report that the method used in the Hannaford breach is new and sophisticated in that it obtains data in transit during the course of the authorization process, which data is not stored or retained by the company itself," Dickinson said in the letter.

Previous major data thefts have involved thieves hacking into or stealing data stored and...