Police Arrest Four in Stop & Shop Breach As Legislation Looms

Hackers frequently go free, but Coventry, R.I., police late Monday night arrested four California men suspected in the recent theft of debit and credit card data from PIN pads at grocery-store chain Stop & Shop Supermarket Cos. While the arrests are certainly good news to Stop & Shop and banks, a growing movement in states and Congress to punish retailers and other entities whose databases of sensitive consumer information get hacked may soon overshadow them. The four suspects, all in their 20s, were charged with felonies after store employees noticed suspicious activity in the front of the store and notified police, a statement from Quincy, Mass.-based Stop & Shop says. According to the Providence (R.I.) Journal, two of the suspects attempted to divert the attention of a cashier while a third tried to remove a PIN pad and the fourth waited outside. The suspects reportedly match images taken earlier of men caught on Stop & Shop surveillance videos. Stop & Shop bolted down PIN pads in all of its 385 stores in New England, New York, and New Jersey after discovering that PIN pads had been tampered with at several stores, including one in Coventry (Digital Transactions News, Feb. 20). A bank alerted Stop & Shop to the hack. The four suspects were expected to appear in court today on charges of access to a computer for fraudulent purposes, computer theft, computer trespass, and conspiracy, according to the Journal. It was not immediately clear how many debit or credit card accounts might have been compromised in the Stop & Shop breach. Coventry police did not return Digital Transactions News calls for comment. As the Stop & Shop incident heads toward apparent closure, companies that handle consumer identity and financial information may be facing, for better or worse, more regulation. While 35 states have data-breach disclosure laws, press reports from around the country say states are becoming increasingly interested going further in compensating victims of database breaches that allow hackers to commit identity and payment card fraud. Leading the way is Massachusetts, which happens to be the headquarters state of companies involved in several notable breaches. Besides Stop & Stop, they include off-price retailer TJX Cos., the source of a breach that may have compromised millions of accounts (Digital Transactions News, Feb. 21). About two months ago, Massachusetts state Rep. Michael A. Costello, D-Newburyport, introduced House Bill 213, which would impose on any commercial entity identified as the source of a data breach liability for costs incurred by others, including banks, as a result of that breach. Such costs could include those for closing or freezing accounts, card reissuance, and fraud losses committed on compromised cards. The bill is pending in the Legislature's joint committee on consumer protection, says Costello's chief of staff, Adam Martignetti. Costello also has introduced legislation making it a felony in Massachusetts to buy or sell stolen identities. The Massachusetts Bankers Association informed Costello about costs card issuers incur when a data breach leads to card fraud, says Martignetti. “It made sense to us, the reimbursement piece,” he says. “More than that, Rep. Costello is interested in creating a solution that keeps data safe. If that incentive needs to be a financial incentive, that's what needs to be done.” Meanwhile, some members of Congress, including U.S. Rep. Barney Frank of Massachusetts, the new chairman of the House Financial Services Committee, are talking about database-breach legislation. A bill with broad sponsorship, however, has yet to emerge.