PORTLAND – The Hannaford Bros. supermarket chain experienced a security breach that led to thefts of customer credit and debit card numbers from stores in the Northeast and Florida, potentially putting more than 4 million cards at risk of fraud, the company announced Monday.

The security breach affects all of its 165 stores in New England and New York, 106 Sweetbay stores in Florida and a smaller number of independent groceries in the Northeast that sell Hannaford products.

Although the company put the number of unique credit and debit card numbers that were potentially exposed to fraud at 4.2 million, there have been only about 1,800 cases of reported fraud so far, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough.

Hannaford first became aware of unusual credit card activity on Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, Eleazer said.

Chris Pinkham, president of the Maine Association of Community Banks, said he’d received several calls from clients whose customers were concerned about liability for unauthorized purchases.

“Consumers will not be held financially responsible for any fraud confirmed as part of this breach,” he said. “Any fraud would be reimbursed by the financial institution” even though the banks did not cause the breach, he added.

“For more than 125 years, Hannaford has been dedicated to earning the trust of our customers, and we sincerely regret any concern or inconvenience this has caused,” Ronald C. Hodge, Hannaford president and CEO, said in a statement. “We have taken aggressive steps to augment our network security capabilities.”

Credit and debit card numbers were stolen during the card authorization transmission process but no personal information like names, addresses or telephone numbers was divulged, the company said. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions, it said.

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it’s investigating but declined to comment on the scope of the crime.

“The company did contact us, and we are investigating,” said agency spokesman Malcolm Wiley.

Hannaford warned customers to watch their credit and debit card statements and alert authorities in the event of unusual transactions. It also told customers to beware of hoax e-mails and calls from people claiming to represent Hannaford and seeking to collect personal information.

Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, said holders of debit cards involved in the Hannaford case are most at risk of fraud. While banks generally cover costs up front from fraudulent charges that appear on customers’ credit card statements, exposure of a debit card in a breach could potentially lead a criminal to drain a victim’s bank account. That would leave a consumer having to convince a bank that they deserve to be reimbursed.

“Any time a debit card number is exposed, the affected individuals need to be contacted immediately, and their accounts should be closed down,” Givens said.

The 4.2 million card numbers that Hannaford said were potentially exposed and 1,800 cases of related fraud rank the case among the largest breaches on record involving retailers.

But the case is still far smaller than the biggest hack measured by the number of customer records involved – last year’s disclosure of a breach at TJX Cos., the Framingham, Mass.-based operator of more than 2,500 discount retail stores including T.J. Maxx and Marshalls.

TJX reported last March that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in 2005. However, banks’ recent court filings in a lawsuit against TJX put the number of cards affected at more than 100 million.

Hannaford’s announcement came several hours after the Massachusetts Bankers Association warned that about one-third of its 200 member banks had been contacted by Visa and MasterCard, alerting them that some of the credit and debit cards the banks issued could be at risk.

But the retailer’s name was a mystery for several hours until Hannaford’s official announcement.

Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advidsory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said.

“I had expected there would be more than we’ve heard of,” Walker said. “But it’s still too early for us to tell.”

Eleazer defended Hannaford’s response to the breach.

“We moved with all deliberate speed to get out to customers with information that we could have confidence in,” she said. “This is a complex undertaking.”

Hannaford and Sweetwater, along with Food Lion, are owned by Belgian supermarket chain Delhaize America. Food Lion was not affected by the data breach.



Associated Press Business Writer Mark Jewell in Boston contributed to this report.


Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.