Data thieves steal credit card data from supermarket chain

The thieves broke into computers at supermarket chains Hannaford Brothers and Sweetbay, stealing an estimated 4.2 million credit and debit card numbers

Data thieves broke into computers at supermarket chains Hannaford Brothers and Sweetbay, stealing an estimated 4.2 million credit and debit card numbers, Hannaford said Monday.

"The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization," said Hannaford CEO Ron Hodge, in a statement posted to the company's Web site.

Hannaford became aware of the theft on Feb. 27 following reports of suspicious credit card activity. The crime, which occurred some time between December and March, is one of the largest reported data thefts from a retailer in U.S. history.

"Somebody hacked into their system," said Mark Walker, vice president and counsel with the Maine Bankers Association, which started informing its 15 member banks of the breach last Friday.

Although only credit and debit card numbers were stolen -- not names or addresses -- Walker said that some cases of identity theft had been associated with the incident.

The Associated Press reported Monday that more than 1,800 cases of fraud had been linked to the theft, which affects 4.2 million credit and debit card numbers.

That's far fewer account numbers than in the nation's largest retail data theft. In 2005, hackers gained access to computer systems at Massachusetts-based TJX Companies, owners of T.J.Maxx, Marshalls and Bob's Stores. That breach affected more than 94 million credit and debit card accounts.

Hannaford is owned by Belgian supermarket giant Delhaize Group, which operates about 1,500 stores in the eastern U.S. In addition to Hannaford Brothers, it owns Food Lion, Bloom, Bottom Dollar, Harveys, Kash n' Karry, and Sweetbay grocery stores.

Hannaford stores in New England and New York state were hit with the theft, as were the company's Sweetbay stores in Florida, according to the Hannaford Web site. The company warned that some independent retail locations in the Northeast that carry Hannaford products were also affected.

Close to 70 Massachusetts banks have been contacted by Visa and MasterCard about the incident, which occurred between December and March, the Massachusetts Bankers Association (MBA) said Monday in a statement.

"The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and is urging consumers to monitor their accounts," the bankers association said.

MasterCard characterized the incident as a "potential security breach" and issued a statement saying that the matter is being investigated by law enforcement. Because of the ongoing investigation, however, the credit card company declined to provide additional details.

A Secret Service spokesman confirmed Monday that his agency, which pursues financial crimes, is investigating.

Delhaize and Hannaford representatives did not return telephone calls and e-mails seeking comment on Monday. On its Web site, Hannaford is advising customers looking for help with the matter to call its support line at 1-866-591-4580.

Because Hannaford does not associate addresses or names with its credit card numbers, it is unable to notify those who have had their credit card numbers compromised, the company said.

Copyright © 2008 IDG Communications, Inc.