Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, March 18, 2008

Supermarket Chain Falls Victim to Security Breach

By Dino Tsibouris & Mehmet Munur

On Monday March 17, 2008, Hannaford, an East Coast supermarket chain, announced that it fell victim to a security breach. The security breach has so far resulted in 1,800 actual cases of fraud.

Hannaford announced that the breach affected 4.2 million unique account numbers during the card authorization process. Hannaford first noticed the breach on February 27 and contained it on March 10. Hannaford, VISA, MasterCard, and the U.S. Secret Service have not released much information regarding the security breach due to the ongoing nature of the investigation. However, no personal data such as names, addresses, or telephone numbers were revealed during the breach.

It is possible that hackers breached Hannaford’s security similar to how hackers breached TJ Maxx’s security in 2006. TJ Maxx employed an outdated and easy to break encryption scheme called WEP to secure its wireless networks. Hackers breached a TJ Maxx store’s wireless network near St. Paul, MN using a laptop and a directional antenna. They then used this data to compromise TJ Maxx’s central customer database at its Framingham, MA headquarters. The hackers obtained many millions of credit card numbers and some personally identifying information such as driver’s license numbers and social security numbers.

Hannaford’s security breach pales in comparison to the security breach at TJ Maxx, which may have affected 100 million customers. TJ Maxx has settled with VISA and the card issuing banks over its security breach for $82 million. TJ Maxx has set aside a reserve fund of $107 million for payments and legal expenses. Though the FTC has been investigating TJ Maxx, it has not yet announced a settlement. FTC may levy fines against TJ Maxx since that breach was the largest security breach to date.

While the FTC has only settled 17 cases to date relating to data security practices by companies handling personal information, it has settled 2 so far in 2008. It appears that FTC will settle more cases related to security breaches this year.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home