(March 18, 2008) Fraudsters obtained payment card data originating with Hannaford Bros. Co. while the regional supermarket chain was compliant with the Payment Card Industry data-security standard, or PCI. The disclosure may mark the first publicly known breach of a PCI-compliant merchant.

“We were certified [as PCI-compliant] last spring and we were recertified in February,” Hannaford vice president of marketing Carol Eleazer tells Digital Transactions News. She could not identify Scarborough, Maine-based Hannaford’s PCI assessor. Some 4.2 million credit and debit card numbers were exposed in a breach that happened between Dec. 7 and March 10 (Digital Transactions News, March 17). Some 1,800 cases of fraud are believed linked to the breach.

Hannaford’s president and chief executive, Ronald C. Hodge, indicated in a statement on Monday that the hacker or hackers obtained card numbers and expiration dates during the authorization process, implying possible illicit access as data moved between point of sale terminals, electronic cash registers, or servers. The PCI standards require encryption of data that are in transit. Older payment-processing technology can leave wireless data exposed to interception for a fraction of a second during authorizations.

Eleazer did not have further details on Tuesday about exactly how the fraud happened, saying it is under investigation by the U.S. Secret Service and experts inside and outside the company. But she does say that Hannaford had been using data encryption all of last year. In fact, she adds, “in 2007 we had just recently upgraded our wireless encryption.”

While merchants don’t disclose the majority of breaches involving payment card data, “this is the first publicly disclosed breach of data in transit, and there may be more to come,” says payment security researcher Avivah Litan of Stamford, Conn.-based Gartner Inc.

Litan says forensic experts are telling her that with more merchants now getting PCI’s message that they’re not supposed to store card numbers (something Hannaford says it doesn’t do), fraudsters increasingly are targeting data in transit. They’re doing this by enlisting employees or what she calls partial insiders to help them steal and decode it. This group includes technology vendors, outside maintenance personnel, and others who have credentials and know passwords that can get them inside a company’s computer systems, or have so-called keys that can decrypt encrypted data. “They’re not even using any fancy technical expertise,” she says. Citing the ongoing investigation, Eleazer would not comment about whether insiders or vendors may be involved.

Eleazer could not identify Hannaford’s merchant acquirer of record, but she says the company uses First Data Corp. for card processing. A First Data spokesperson could not be reached for comment early this afternoon.

The breach involved all 165 Hannaford Bros. stores in New England and New York, 106 stores in Florida of corporate affiliate Sweetbay, and some independent grocery stores in the Northeast that carry Hannaford products. Hannaford became aware of the breach Feb. 27. Asked why Hannaford didn’t disclose the breach until March 17, just after the Massachusetts Bankers Association announced a breach involving a big but unidentified retailer, Eleazer says the company wanted to make sure it had “information we could have confidence in” before going public.

Belgium-based Delhaize Group, whose Delhaize America Inc. unit also includes Food Lion and other grocery chains, owns Hannaford.