Make us your home page

After data theft, Sweetbay upgrades security

Sweetbay Supermarket and its New England parent are pouring millions into "industrial strength" security after reporting a big data breach March 17.

"This has been the most challenging time in our 100-year history and certainly in my tenure here," said Ron Hodge, chief executive of Hannaford Bros., who also oversees Sweetbay for Belgian owners DelHaize Group.

The breach at 106 Sweetbay stores in Florida and 165 Hannaford Bros. stores in New England lasted from Dec. 7 through March 10.

About 4.2-million debit and credit card numbers were compromised, including 1.6-million on Florida's west coast. So far, 1,800 reports of attempted fraud were reported, but card issuers Visa and MasterCard decline to update the count.

Hodge outlined corrective action in a conference call Tuesday but declined to address the criminal investigation, who's going to pay card issuer losses, or nine privacy lawsuits filed on behalf of customers.

He said the grocer now encrypts all payment data starting at the checkout after adding firewalls, software fixes and around-the-clock monitoring. Infected servers already were replaced, but other installation will take months. The bill has not hit $10-million.

"It hurts to take out perfectly good hardware, but we're replacing the card readers at every store," said Bill Homa, Hannaford chief information officer. "At $5,000 a store, it adds up quickly."

The chain's sales have not suffered since the breach was disclosed, Hodge said.

The company learned of the breach Feb. 27 after Visa refused a string of unauthorized transactions. Hannaford assigned a team of forensic data security experts to pinpoint the leaks. A patch was installed March 10.

Card issuers, however, continue issuing new card numbers regarded as at risk or on customer request. SunTrust Banks and Achieva Federal Credit Union mailed replacement cards as recently as last week, but bankers say cases of fraud are not widespread.

"We have not reissued a card or had a case of fraud reported," said Bucky Sebastian, chief executive of the GTE Federal Credit Union in Tampa, which has 205,000 members.

"The problems were more up North."

Meanwhile, a similar hack that comprised 46,000 cards in February was reported by Okemo Mountain Resort ski area in Ludlow, Vt.

Both represent a new type of hack attack. In the few publicly disclosed breaches by retailers such as TJMaxx/Marshalls, hackers tapped a company database.

This time they installed "malware," or malicious software, in store servers that intercepted card authorization messages between the checkout and banks.

The hackers transmitted batches of stolen numbers and expiration dates to an offshore Internet Service Provider. They did not get Personal Identification Numbers, known as PINs, Homa said.

Typically, hackers sell card numbers to thieves who try to convert them to cash. So far all the fraud disclosed involved unauthorized purchases. No case of attempted identify fraud — using personal information to create a duplicate identity to open new accounts — has surfaced.

Meanwhile, class action suits seeking damages and free credit monitoring services for affected customers are moving through the court system. All nine suits, including one filed in a state court in Tampa, are being consolidated in federal court while judges decide where to hear the case.

Mark Albright can be reached at or
(727) 893-8252.

After data theft, Sweetbay upgrades security 04/22/08 [Last modified: Thursday, April 24, 2008 10:37am]
Photo reprints | Article reprints

© 2017 Tampa Bay Times


Join the discussion: Click to view comments, add yours

  1. For Gov. Rick Scott, 'fighting' could mean vetoing entire state budget

    State Roundup

    Every day, Gov. Rick Scott is getting a lot of advice.

    The last time a Florida governor vetoed the education portion of the state budget was in 1983. Gov. Bob Graham blasted fellow Democrats for their “willing acceptance of mediocrity.”
  2. Potential new laws further curb Floridians' right to government in the Sunshine

    State Roundup

    TALLAHASSEE — From temporarily shielding the identities of murder witnesses to permanently sealing millions of criminal and arrest records, state lawmakers did more this spring than they have in all but one of the past 22 years to chip away at Floridians' constitutional guarantees to access government records and …

    The Legislature passed 17 new exemptions to the Sunshine Law, according to a tally by the First Amendment Foundation.
  3. Data breach exposes 469 Social Security numbers, thousands of concealed weapons holders


    Social Security numbers for up to 469 people and information about thousands of concealed weapons holders were exposed in a data breach at Florida the Department of Agriculture and Consumer Services. The breach, which the agency believes happened about two weeks ago, occurred in an online payments system, spokesperson …

    Commissioner of Agriculture Adam Putnam on Monday that nearly 500 people may have had their Social Security numbers obtained in a data breach in his office.
[Times file photo]

  4. Trigaux: Can Duke Energy Florida's new chief grow a business when customers use less power?


    Let's hope Harry Sideris has a bit of Harry Houdini in him.

    Duke Energy Florida president Harry Sideris laid out his prioriities for the power company ranging from improved customer service to the use of more large-scale solar farms to provide electricity. And he acknowledged a critical challenge: People are using less electricity these days. [SCOTT KEELER   |   Times]
  5. Citigroup agrees to pay nearly $100 million fine for Mexican subsidiary


    NEW YORK — Citigroup has agreed to pay nearly $100 million to federal authorities to settle claims that a lack of internal controls and negligence in the bank's Mexican subsidiary may have allowed customers to commit money laundering.

    Citigroup has agreed to pay nearly $100 million to federal authorities to settle claims that a lack of internal controls and negligence in the bank's Mexican subsidiary may have allowed customers to commit money laundering. 
[Associated Press file photo]