March 17, 2008 at 7:34 PM ET
It was good to see the Hannaford Bros. grocery chain step forward Monday and admit it was the retailer that had suffered a credit card and debit card hacker attack. Criminals had access to account numbers from Dec. 7 to March 10, and stole a whopping 4.2 million credit and debit card numbers while they were transmitted for authorization, the company said. (see full story)
The company's announcement came only hours after the Massachusetts Bankers Association issued a statement indicating that it had been warned about a leak at a "major retailer" by Visa and MasterCard, while complaining that the credit card associations wouldn't reveal the name of the store chain. An initial version of this column offered the same lament.
The card associations routinely keep such information a secret, and banks are getting tired of that. You should be, too
"Releasing the name of the retailer would make all of our lives easier and safer,” Daniel J. Forte, the association’s CEO, said said before Hannaford was identified as target of the data theft. “Customers who didn’t shop there would be put at ease, and banks could do more efficient investigations to better protect
Credit card users are often the last to know when a criminal has access to their data. That's because it usually falls to the affected banks to decide which consumers – if any -- to tell.
Even when the name of the retailer is made public, disclosure takes place in fits and starts. The infamous TJ Maxx data leak, which ultimately was determined to have affected nearly 50 million account numbers, occurred in December 2006. The company announced the leak one month later, but only recently did it begin notifying individual consumers.
In other data leaks, disclosure of the impacted retailer can take months. Sometimes, the name is never revealed.
"Consumers always want to know where the breach took place. That’s one of the first things affected consumers ask their banks, right after ‘will I get my money back?’" said Avivah Litan, a bank security analyst at consulting firm Gartner. "They ... have a right to know. After all it’s their money and their time that is involved, and it may influence their future purchasing decisions."
One reason that credit card associations maintain a policy of not naming retailers involved in data leaks is that the fault might lie with the store's credit card processing firm or somewhere else along the data chain.
Chris Monteiro, a spokesman for MasterCard, the MasterCard spokesman, said that the credit card association also cannot release the information because it is “the subject of an ongoing law enforcement investigation.”
Banks, on the other hand, are increasingly calling for early disclosure of data leakers, says Litan.
"The banks obviously want to be able to inform their cardholders where the breach took place, so that consumers don’t blame their bank for the theft," she said.
Credit card associations like Visa and MasterCard are often the first to notice when a large block of account numbers is stolen, because they see the fraud pattern before the merchant. Consumers could benefit from early warning -- particularly debit card holders, who may find their checking accounts drained by thieves.
In either case, consumers are entitled to prompt refunds of money taken by account number thieves, and have zero liability for fraudulent charges made by credit card crooks.
RED TAPE WRESTLING TIPS
Sometimes when data is stolen or missing, it's not clear whether ID thieves actually have control of it. Not so in this case; Hannaford told the Associated Press it's aware of 1,800 cases of fraud related to the data theft.
Consumers simply have to challenge fraudulent charges with their credit card companies. Those who lose money in their checking accounts to fraudulent debit card transactions must get refunds from their banks withing 10 days, according to federal banking regulations.
Meanwhile, it's always a good idea to use online banking services to check account balances every few days and make sure nothing is out of whack. If there is, the sooner your report the problem the better.