When the levee broke, it took three weeks to find out.

This is an inconsistency in the Hannaford data breach saga, as other murky details have become clear. On Friday, the source of the breach was reported: malicious software clandestinely installed on internal company computers.

The number, and numbers, of compromised credit cards are also known, as illicit charges from across the globe have appeared. Plus, the financial burden on banks to re-issue cards is spiraling, between $20,000 and $50,000 for two local institutions, for example.

About the only thing remaining unclear is Hannaford’s silence from Feb. 27, when the breach was discovered to March 17 when it was disclosed. The company has said the delay was to preserve the police investigation.

Hannaford deserves the benefit of a doubt. By all accounts, the company was victimized by a innovative and malevolent computer crime that targeted information in transit, rather than the usual target of information in storage.

In dealing with this type of unique crime, we’d expect police and company officials would need time to understand the scope of what occurred, and how to respond. Big companies and law enforcement are two entities that always move with measured care.

Yet, in this situation, speed was essential. For the millions of consumers affected by this breach, the three-week delay is rightly viewed as an eternity for somebody to know their financial information was insecure. Hannaford has since been sued on this basis.

We’ll leave it to the civil court to assign blame, if possible. Pointing fingers isn’t going to restore any lost consumer confidence, nor track the geek turncoats who used their software skills to exploit this glaring weakness in digital transactions.

There’s much to learn, though. The epoch between the breach’s discovery and disclosure is irresponsible, given the speed of transactions. Companies must be more willing to come forward to say a breach may have occurred, in the interest of protecting consumers.

If companies are unwilling, then this falls to law enforcement. The stolen goods, in this case, is access to assets. There’s an obligation to inform the owner of the asset – the consumer – that their assets could have been compromised, without their knowledge.

Trying to prevent a panic is understandable, especially given this new kind of crime. But for consumers, false alarms about possible breaches are much more preferable to silence about real ones.