It was during the card approval process that more than 4 million customer accounts at grocery stores in the Northeast and Florida were exposed to fraud, even though the company meets the latest standards for data security, a spokeswoman said Tuesday.
Hannaford Bros. Co. doesn't yet know how the breach — which began Dec. 7 and ended March 10 — occurred, said Carol Eleazer, vice president of marketing for Hannaford, based in Scarborough.
About 4.2 million credit and debit card numbers were exposed and at least 1,800 stolen during the seconds it takes for that information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines, Eleazer said.
On Tuesday, many customers were not yet aware of the problem. Others who'd read or heard about it didn't seem alarmed.
Shopper Mary Kellett said she'll continue to shop at Hannaford — and use her credit card. She'll also be more vigilant checking her card statements.
"Nobody's really found a perfect a way to prevent this," she said as she loaded bags of groceries into her car in a Hannaford parking lot in Portland. "But I'm still here shopping today."
It's virtually impossible to make credit card transactions 100 percent secure, even if companies use state-of-the-art technology and accepted security practices, said Avishai Wool, chief technical officer at AlgoSec, a computer network security company in Reston, Va.
"That's like asking if you can have a 100-percent secure home that cannot be broken into," Wool said. "I don't think you can. If the bad guys spend enough money and have the appropriate equipment, they can go through anything."
The breach affects all 165 Hannaford stores in New England and New York, 106 Sweetbay stores in Florida and a smaller number of independent stores in the Northeast that sell Hannaford products. Hannaford and Sweetbay are owned by the Belgian supermarket chain Delhaize America.
The Hannaford case is among the largest security breaches on record but is still much smaller than the tens of millions of credit cards that were exposed at TJX Cos. of Framingham, Mass., which has 2,500 stores and includes the T.J. Maxx and Marshalls chains.
Hannaford stores, Eleazer said, do not use wireless systems, which are believed to have been the entry points for other recent large-scale data thefts at retailers, including the TJX case.
The TJX breach is thought to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami — an entry point that eventually gave hackers undetected access to TJX's central databases for a year and a half.
For merchants to accept credit cards, they have to meet industry standards that credit card firms impose on merchants to protect data.
The standards are administered by the PCI Security Standards Council in Wakefield, Mass., and include making retailers maintain firewalls to protect data inside their computer systems, encrypt data when it travels across public networks, and generally restrict access to cardholder data.
The standards also require companies to track and monitor all access to cardholder data, restrict physical access to cardholder data and use and update antivirus software.
The standards are constantly being updated, said Bob Russo, general manager of PCI Security Standards Council.
"You have to think of this as an arms race," he said. "We have to stay out in front as much as we can."
Hannaford's transaction system was found to be in compliance with the standards as recently as last month, Eleazer said.
"And yet we were the victim of this attack. Which further proves that, regrettably, in the wired world in which we live, vulnerabilities inevitably exist," she said.
The U.S. Secret Service is investigating, and Hannaford continues to evaluate its technology infrastructure. None of the exposed data contained customers' names, addresses or phone numbers — just account numbers, Eleazer said.
Still, the problem is "testament to the fact that breaches have turned into a global epidemic," said Slavik Markovich, chief technology officer of Sentrigo Inc., a database security company based in Woburn, Mass.
"Overall, this type of attack, lasting several months and resulting in large-scale data theft and actual cases of fraud demonstrates once more that enterprises are being proactively targeted by organized crime," Markovich said in an e-mail. "Weak links anywhere in the data chain that leave the data vulnerable to theft are exploited."