Sweetbay Supermarket and its New England parent are pouring millions into "industrial strength" security after reporting a big data breach March 17.
"This has been the most challenging time in our 100-year history and certainly in my tenure here," said Ron Hodge, chief executive of Hannaford Bros., who also oversees Sweetbay for Belgian owners DelHaize Group.
The breach at 106 Sweetbay stores in Florida and 165 Hannaford Bros. stores in New England lasted from Dec. 7 through March 10.
About 4.2-million debit and credit card numbers were compromised, including 1.6-million on Florida's west coast. So far, 1,800 reports of attempted fraud were reported, but card issuers Visa and MasterCard decline to update the count.
Hodge outlined corrective action in a conference call Tuesday but declined to address the criminal investigation, who's going to pay card issuer losses, or nine privacy lawsuits filed on behalf of customers.
He said the grocer now encrypts all payment data starting at the checkout after adding firewalls, software fixes and around-the-clock monitoring. Infected servers already were replaced, but other installation will take months. The bill has not hit $10-million.
"It hurts to take out perfectly good hardware, but we're replacing the card readers at every store," said Bill Homa, Hannaford chief information officer. "At $5,000 a store, it adds up quickly."
The chain's sales have not suffered since the breach was disclosed, Hodge said.
The company learned of the breach Feb. 27 after Visa refused a string of unauthorized transactions. Hannaford assigned a team of forensic data security experts to pinpoint the leaks. A patch was installed March 10.
Card issuers, however, continue issuing new card numbers regarded as at risk or on customer request. SunTrust Banks and Achieva Federal Credit Union mailed replacement cards as recently as last week, but bankers say cases of fraud are not widespread.
"We have not reissued a card or had a case of fraud reported," said Bucky Sebastian, chief executive of the GTE Federal Credit Union in Tampa, which has 205,000 members.
"The problems were more up North."
Meanwhile, a similar hack that comprised 46,000 cards in February was reported by Okemo Mountain Resort ski area in Ludlow, Vt.
Both represent a new type of hack attack. In the few publicly disclosed breaches by retailers such as TJMaxx/Marshalls, hackers tapped a company database.
This time they installed "malware," or malicious software, in store servers that intercepted card authorization messages between the checkout and banks.
The hackers transmitted batches of stolen numbers and expiration dates to an offshore Internet Service Provider. They did not get Personal Identification Numbers, known as PINs, Homa said.
Typically, hackers sell card numbers to thieves who try to convert them to cash. So far all the fraud disclosed involved unauthorized purchases. No case of attempted identify fraud — using personal information to create a duplicate identity to open new accounts — has surfaced.
Meanwhile, class action suits seeking damages and free credit monitoring services for affected customers are moving through the court system. All nine suits, including one filed in a state court in Tampa, are being consolidated in federal court while judges decide where to hear the case.
Mark Albright can be reached at firstname.lastname@example.org or