Hackers steal credit card information from Sweetbay shoppers

About 4.2-million Visa, MasterCard and Discover credit and debit card numbers — 1.6-million of them used at Sweetbay Supermarkets in Florida in the past three months — were exposed to hackers who tapped into the computer network at Hannaford Brothers grocery chain in Portland, Maine.

Hannaford, which runs 160 stores in New England, also processes transactions for its 106-store corporate sibling Sweetbay, which operates on the west coast of Florida.

So far, fewer than 2,000 transactions have been identified as fraudulent. But investigators are not sharing the details, including the type of fraud.

"We're just starting our investigation," said Malcolm Wiley, spokesman for the U.S. Secret Service, which probes counterfeiting and many computer-related crimes.

The security breach exposed payment card account numbers for any transaction handled at a Sweetbay between Dec. 7, 2007, and March 10.

Sweetbay officials, in apologizing for the "intrusion," suggested Monday that customers doublecheck card or bank statements for unauthorized or unfamiliar transactions. Call the bank or card issuer, or both, if something looks suspicious.

Sweetbay does not know the names or personal identification of its customers. So it said it has no way to call anyone to ask for added personal information in connection with the case.

Visa officials declined to comment on the case except to say card holders are not liable for any loss triggered by fraud. Visa is notifying card issuers of compromised accounts and is prepared to issue thousands of new account numbers if necessary.

The hack is the latest in a growing type of organized retail theft plaguing companies that handle massive amounts of payment card data, including TJMaxx parent TJX Cos. and First Data's Western Union unit.

TJX last month paid $41-million to settle with the card companies after its security was partly blamed for a 2005 hack that exposed 46-million credit card numbers to thieves.

Hannaford learned of the hack when a card payment clearinghouse on Feb. 27 spotted an unusual number of transactions.

Quoting an unidentified source in the investigation, the Wall Street Journal online said Monday that the card numbers have turned up in transactions in Detroit, Houston, France and Brazil.

Unlike TJX, where hackers intercepted wireless signals from outside a data-processing center, Hannaford only uses encrypted wireless signals to transmit numbers inside stores. Transmissions to the computer in Maine go through telephone lines.

By March 8 the company and its computer security consultants felt confident enough in pinpointing the dates of the breach to make repairs that were completed March 10.

"We have our arms around the problem, but given our state-of-the-art system, it was a real surprise that we were under attack," said Carol Eleazer, spokeswoman for Hannaford. "This was an incredibly sophisticated scheme."

Hannaford and Sweetbay don't collect personal information on their customers. So the information compromised was limited to card numbers and expiration dates.

That's typically not enough to create a stolen identity. Thieves typically rush to use card account numbers to make purchases online or to create counterfeit cards or bogus gift cards to transform account numbers into cash. Doing so requires blank cards and machines that can read other security tracking data embedded in the cards. Retail security groups have complained that the equipment needed is readily available from online auction sites.

Have you been a victim?

If you think your credit card information has been stolen as a result of shopping at Sweetbay, we'd like to hear from you. Please call Ilyce Meckler at 727-892-2296 or e-mail imeckler@sptimes.com

What to do

If you used a credit or debit card at a Sweetbay Supermarket between Dec. 7 and March 10, do the following.

1. Double-check your card or bank statements for unfamiliar charges.

2. Call your card issuer or financial institution if you find something suspicious.

3. Do not offer personal information to anyone who calls or e-mails about the case claiming to be from Sweetbay. The grocer does not keep enough personal information to contact its customers. Customers with questions can call toll-free 1-866-591-4580.

Comments on this article

by Supplier	Mar 20, 2008 9:46 AM
Hannaford's hubris (in their "State of the Art System") helped to cause this problem .It was Hannaford's system that was broken into...NOT Sweetbay!!!! Lay the blame where it belongs...on Hannaford!!!

by Robert	Mar 20, 2008 9:41 AM
Sweeybay is a SweetSpot for Hackers. My bank just cancelled my bank card last night due to 'security risks' associated with this issue.I am rethinking whether I will take my business elsewhere. This entails some element of trust with sensit

by Bmrncon	Mar 20, 2008 9:35 AM
To Roger, the facts on how the fraudsters collected account numbers wasn't because Sweetbay was storing card information - the information was stolen out of the "air" from the terminal where you swipe your card to the computer tha

by Barbara G	Mar 20, 2008 9:02 AM
I will shop elsewhere. Sure, it could happen to any business, but I'm not comfortable using my card at Sweetbay.

by Mel	Mar 19, 2008 4:48 PM
Vicious sharks!! You want something for free, just because you shop at their store. This is a misfortunate thing that has happened. I'm a victim of credit card fraud, and I blame no one else but the thief who stole my information.

by WellFed	Mar 19, 2008 4:45 PM
I ain't boycotting SweetBay. Where else can I buy two large, self rising, heavily stacked, hefty, supreme pizzas for five bucks. Keep em' coming guys.

by kitty	Mar 19, 2008 4:40 PM
This happened last year with the parent company of TJ Maxx & Marshall's, and is why I refuse to use a debit/credit card. People behind me in the checkout line may feel inconvenienced, but credit/debit card fraud really is far more inconveni

by Bonnie	Mar 19, 2008 4:39 PM
Credit card info can be stolen anytime or any place. Instead of wondering how much more is going to be charged on the comprimised card, wouldn't it make sense to just cancel it and get another?

by hank	Mar 19, 2008 3:34 PM
Remember when TJ Maxx was hacked ?The credit card companies sued and settled for $41mill. If a company is lax they should be held responsible.SweetBay spent an awful lot of money remodeling stores. Did they spend enough on security? Time will tell...

by William	Mar 19, 2008 9:54 AM
Everyone is always so quick to want to blame everyone. Things like this happen. Their system was hacked by criminals. It's the criminals you should be blaming, not Sweetbay (not even Sweetbay, their parent company if you read the article

by Jack	Mar 19, 2008 9:51 AM
I have been through two new cards in the last year because of this exact problem with other merchants. The most infuriating thing is that there is NO information available to card holders. Shouldn't the cardholder have the right to know the deta

by not victimized	Mar 19, 2008 9:51 AM
To Victimized. Next time read the article before you comment. It clearly says that no names or other personal information was disclosed so there can be no identity theft. Consequently monitoring your credit will do nothing for this situation. Wake up

by Val	Mar 19, 2008 9:50 AM
Sweetbay is in NO WAY liable for the fraud.The breach could occur with any retailer's security systems..hackers will always find a way around ..THAT is WHAT they DO!! Consumers need to be aware and monitor their accounts,take their own precautio

by rhonda	Mar 19, 2008 9:50 AM
The weak link is arrogance! "Given our state of the art system" Where is the competent IT department of SWEETBAY? Maybe time to clean house,too many donut breaks and not enough wheel to the grind stone. Customers should shop elsewhere.Reck

by frankie	Mar 19, 2008 9:50 AM
Is "SweetBay" the only grocery store in town? Perhaps shopping at another grocery store that has more concern for its customers.Bad things happen,how the merchant deals with this incident reflects on how they feel about their customers. Sec

by John	Mar 19, 2008 9:50 AM
Boycott is the only answer. Let hurt a company that aide and abade theft, then offers NO help, where it hurts!

by Karen	Mar 18, 2008 3:08 PM
If you think your credit card information has been stolen as a result of shopping at Sweetbay, we'd like to hear from you. Please call Ilyce Meckler at 727-892-2296 or e-mail imeckler@sptimes.com

by Victimized	Mar 18, 2008 2:57 PM
As a SweetBay customer, I called their customer hotline to see what could be done. Their answer: NOTHING! I suggest everyone boycott SweetBay until they offer one year of free credit monitoring service to all of us affected by their negligence!

by Rodger	Mar 18, 2008 8:47 AM
Why are they aloud to keep customers credit card information? Sweetbay should be responsible for any and all loses. I know as a former merchant, once the sale went through we didnt keep their information because it wasnt ours to lose.