IDENTITY FRAUD'S U.S. TOLL
THE NUMBER of identity fraud victims in the United States decreased from 10.1 million in 2003 to 9.3 million in 2005 to 8.4 million in 2007, according to the Javelin Strategy & Research Survey's Identity Fraud Survey Report.
THE TOTAL ONE-YEAR fraud amount decreased from $55.7 billion in 2006 to $49.3 billion in 2007.
THE MEAN FRAUD AMOUNT per victim decreased from $6,278 in 2006 to $5,720 in 2007.
THE IDENTITY THEFT RESOURCE CENTER announced Wednesday that there were 167 breaches in the U.S. in the first three months of 2008, up from 76 in last year's first quarter.
BREACHES DISCLOSED this year have potentially affected 8 million people, said the San Diego nonprofit group, which counts breaches reported in news media and other sources it considers reliable.
THE HANNAFORD BREACH is this year's biggest so far, the group said.
IF YOU SUSPECT YOUR CARD HAS BEEN COMPROMISED
MONITOR CREDIT CARD and debit card statements and alert issuers of unusual transactions.
BE WARY of e-mail and telephone calls from people who claim they represent Hannaford and ask for personal information.
FOR COMPLETE PROTECTION, close the credit/debit card and have another one issued.
FOR CREDIT CARD DISPUTES, call the institution that issued the card within 60 days of the date of the unauthorized charge appearing on the statement. Within that time frame, a consumer may be responsible for up to $50 of a disputed charge. Follow up with a letter that refers to the phone call.
FOR DEBIT CARD DISPUTES, contact the issuing agency within 48 hours of discovering the disputed charge. Within that time frame, consumers may still be responsible for up to $50. If a customer notifies the financial institution after 48 hours, the customer's liability rises to $500. Consumers who fail to contact the financial institution could be liable for the entire amount.
Lynne Erkkinen's frustration with a data breach at her local Hannaford Bros. supermarket last month wasn't about the amount – a paltry $5 charged to her debit card by a bogus New Jersey company – or even the aggravation of replacing the card.
"One of the worst things for me is there's nothing safe, nothing sacred. Somebody can just scoop money from my checking account," the Yarmouth resident said.
Even as Erkkinen's card was being used fraudulently, a team of 30 information technology specialists and outside security pros was scouring the computer systems at Hannaford headquarters in Scarborough.
The team spent days living on pizza and Peeps, running diagnostic programs and scrutinizing computer code in a frantic push to find out how the information was stolen from a computer system thought to meet the industry's stringent security standards.
In the three weeks since the company announced that 4.2 million credit and debit card numbers were potentially stolen, a more complete picture of the nature, magnitude and impact of the breach has emerged from the company, security specialists, financial institutions and government agencies.
However, much still remains a mystery, in part because of parallel forensic and criminal investigations still under way, as well as corporate secrecy.
It is still not known how many card numbers were used to make fraudulent purchases and how long that danger will exist for those who haven't replaced their cards.
Community outrage over the theft and Hannaford's public response to it will have short- and long-term implications for the chain's business and reputation, but it's unclear to what extent.
The theft is sure to prompt changes in computer security, and the payment-card industry is expected to adjust its requirements for large retailers who accept credit and debit cards.
Maine political leaders also are calling for a review of state and federal laws covering privacy and the need for businesses to notify authorities and the public when personal data is stolen.
"It's clear that as criminals develop new ways to steal personal information and account information that Maine must review how we can increase security and notification," Gov. John Baldacci said in a statement Friday.
FIRST NOTICE
Hannaford learned on Feb. 27 that data thieves had attacked its security system. First Data, the company that handles transactions for Discover and American Express, telephoned to say an unusual number of credit cards were showing fraudulent charges. All the cards had been previously used at Hannaford or grocery chains affiliated with the Scarborough-based chain, such as Sweetbay stores in Florida.
"Sometimes those things are anomalies, and sometimes there's a root cause. It could have been a systems error. It could have been a crime," said Carol Eleazer, spokesperson for Hannaford, who has headed up the communications team following the breach. "In this case, it was a crime."
This was the company's first experience with data theft, she said.
The company called the Secret Service, which launched a criminal probe drawing on experts in academia and the private sector and from the Boston office of the Secret Service Electronic Crimes Task Force.
Meanwhile, nearly all the chain's customers and many financial institutions were oblivious to the crime, continuing to use their credit or debit cards at almost 300 stores to purchase groceries.
On the same day Hannaford learned of the security breach, it also received its most recent seal of approval for meeting the payment card industry's standards for data security.
So even while the store's system was being tested by an outside security assessor, deeply embedded software, unlike any virus previously identified by security companies, was secretly stealing credit and debit card numbers, expiration dates and personal...
Reader comments
Click here to view or add comments on this story
Were you interviewed for this story? If so, please fill out our accuracy form