Make us your home page

Experts: Data theft likely to flourish

Someone tried to use Diane Christy’s debit card information. “You always hear about it happening to other people, you just never think it’s going to happen to you,” she says.

Stephen J. Coddington | Times

Someone tried to use Diane Christy’s debit card information. “You always hear about it happening to other people, you just never think it’s going to happen to you,” she says.

Fabienne Mostrum discovered her debit card numbers had been stolen again when Publix refused to honor the card. Her online check of the account confirmed a thief charged $630 in a Maryland Wal-Mart.

Her credit union, which had canceled the card, mailed a replacement. But she spent four hours figuring out what happened, a weekend with no cash and days worrying about the implications like whether her automatic mortgage payment would bounce.

It was the fifth time Mostrum's card account was hacked from a retailer's data transmission, this time at Sweetbay Supermarket. "It's outrageous these retailers are so careless with your personal information," said the 44-year-old St. Petersburg resident.

Most experts advise: Get used to it.

Cyber crooks are getting smarter about stealing and selling payment card details to other crooks who try to turn them into cash. Since 2005 records on more than 223-million people have been exposed in unauthorized data breaches, according to the Privacy Rights Clearinghouse. The number of reported cases tripled in the past three years.

But only about one in 10 credit-related data breaches is publicly disclosed, according to Gartner Inc., a high-tech research firm. While many bankers themselves are frustrated by delays learning of retailer breaches, few will name the store to customers.

It's one of the risks unmentioned in the latest Visa commercials featuring care-free customers swirling through a buffet and zipping by the cash register like they're on a nonstop carousel. But even though their banks canceled the bogus charges, many victims of the Sweetbay hack want off the merry-go-round.

The Tampa grocery chain announced March 17 that most customers' credit and debit card account numbers and personal identification numbers had been exposed in a transmission breach that lasted from Dec. 7 to March 10. Many victims criticized the grocer, which discovered the breach on Feb. 27, then waited 19 days before telling anybody.

The Secret Service is investigating how thieves tapped into the data transmissions that exposed 1.6-million payment card numbers at Sweetbay stores in Florida plus 2.6-million more at its 165-store corporate cousin, Hannaford Bros. in New England.

Four class-action lawsuits were filed in Tampa and Portland, Maine, on behalf of victims. Two big questions were asked: When did the grocer really discover the hack attack? And why did the chain wait so long to reveal it?

"That was as fast as we could get all the information together, understand how this incredibly sophisticated attack was done to our system and get it patched," said Carole Eleazer, Hannaford vice president of marketing.

The breach did not reveal personal information like names, addresses or Social Security numbers that would make it easier to steal someone's identity. Nonetheless news of the breach gave exasperated Tampa Bay residents more clues to trace as they try to unravel how thieves swiped their identities months ago.

"I'm not using that card again," said Sandra Rouse, a 58-year-old Zephyrhills teacher whose card was canceled when someone in Brazil tried to charge $180 on it. "I presume it was Sweetbay because I read about the breach and I use the card there."

It's her third new card in two years blamed on a data breach.

Diane Christy stumbled onto the theft during a routine online check of her debit account. Somebody spent $440.82 at Dell Computer in Texas. The Port Richey resident called the bank and Dell's fraud unit before the order was delivered. The card number came from Sweetbay because she read about the breach and realized it was the only store where she used it.

"Shame on Sweetbay for not having better security," she said.

The nature of breaches forces retailers to trace them through bogus transactions brought to their attention. Then they work backward to figure out what happened. Breaches of unencrypted data could be anyone. Encrypted data theft makes rogue insiders suspects.

Laws in more than 30 states including Florida require disclosure. But there's lots of wiggle room for retailers. In Florida, for instance, a breach must be reported within 45 days. But that's only if the transmission is not encrypted.

While victims blame stores, experts blame the banks, too.

Both have tolerated a mixed bag of dated card number transmission networks to proliferate. The system encourages retailers to prod shoppers to use riskier credit cards while rewarding banks with higher fees.

"PIN encryption is far more secure than a credit card," said Avivah Litan, security fraud analyst with Gartner.

The banks enforce their card security standards through a sort of no-harm, no-foul system that protects shoppers from fraudulent charges.

If a retailer is lax, the chain is fined for not meeting standards set by an industry group called the Payment Industry Council.

In a recently settled TJMaxx/Marshals breach, which exposed 46-million card numbers, the $41-million fine reimbursed banks for their losses.

"The standards are designed only to remove the low hanging fruit among the large number of retailers who are the least protected," said Rob Lee, a principal with the data security firm Mandient Corp. in Alexandria, Va. "But nobody is unhackable anymore, so we're going to see more of these cases."

Yet while victims may want to know about breaches sooner, experts say its unclear what victims could do except shop elsewhere. Historically only a tiny fraction of compromised card numbers are used fraudulently.

Card issuers, which use math to pinpoint card fraud patterns in real time, cancel suspect numbers or put them on a watch list before damage can be done.

For instance, of the 4.2-million Hannaford/Sweetbay numbers exposed, so far fewer than 2,000 attempted fraudulent transactions have surfaced.

"I've been notified six times of breaches and only once did anything happen," said Mandient's Lee. "That was when somebody behind me in line overseas copied my card number and tried to use it."

The Hannaford/Sweetbay breach, however, is different from other highly publicized hack jobs. The 2005 TJMaxx breach, which started at two Marshalls in Miami and went for 18 months, was done by thieves intercepting unencrypted wireless card data on a laptop in parking lots.

Hannaford/Sweetbay says its only wireless data is encrypted and limited to inside stores. It is the first case of a network certified by a third party to meet payment council standard while the breach was under way.

But as lawyers argue about who is liable, expect little change in breach disclosure.

That's because consumers are not being hit up for the losses. Retailers are. Meanwhile, the banks keep collecting 3 percent or so of each card transaction.

"The process works quite well for the banks," said Robert Richardson, director of the Computer Security Institute in San Francisco. "Losses have rarely been as extreme as feared and generated little public outcry for more disclosure, so we're not in a climate of much legislative concern."

Times staff writer Ilyce Meckler contributed to this report. Mark Albright can be reached at or (727) 893-8252.

4.2-million Payment card numbers exposed by the Hannaford/Sweetbay data breach

Fewer than 2,000 Reported fraud cases linked to the breach

223-million Number of computerized records exposed nationally in unauthorized data breaches since 2005

11 Percentage of credit data breaches made public

Sources: Sweetbay Supermarket, Privacy Rights Clearinghouse, Gartner Inc.

>>Fast Facts

Protect your card numbers from fraud

• Comb bank and card statements carefully for unauthorized charges. Dispute them immediately.

• Don't expect a retailer to notify you of a data breach on a card that's not their own. It is likely they do not have your name, address or phone number.

• Be vigilant about keeping credit card and personal identification numbers secret such as while waiting at the checkout or making an ATM withdrawal.

• If you suspect foul play, call your card-issuer immediately. If your monthly bill doesn't appear on time, it could be a sign of identity theft. That's when someone tries to cobble several pieces of your personal information into duplicate credit cards without your knowledge.

• Read the fine print on all payment cards so you know what you are liable for. Most cards have zero liability in case of fraud. But a debit card and PIN can be used to drain your checking account before the bank agrees it was fraud.

• Do not use as a PIN consecutive numbers, your birth date or the last four digits of your Social Security number.

Experts: Data theft likely to flourish 03/25/08 [Last modified: Thursday, March 27, 2008 9:06am]
Photo reprints | Article reprints

© 2017 Tampa Bay Times


Join the discussion: Click to view comments, add yours

  1. A long-awaited vision for Tampa's Westshore Marina District

    Real Estate

    TAMPA — More than a decade after plans to develop a vacant waterfront tract were first announced, a new rendering finally gives a hint of what Westshore Marina District will ultimately look like.

    Rendering of Marina Pointe, a condo project overlooking Tampa Bay as part of the Westshore Marina District. [Courtesy of Masterfile Corp.}
  2. Buddy Brew Coffee to open downtown Tampa location


    TAMPA — Buddy Brew Coffee plans to open a new location in downtown Tampa at Park Tower. The specialty coffee craft roaster, which was founded in 2010, has five other locations throughout Tampa including the Oxford Exchange, Sarasota, Hyde Park Village and Terminal F inside the Tampa International Airport.

    A cappuccino is displayed at Buddy Brew in Tampa in January 2017. [CHARLIE KAIJO | Times]
  3. Where to pig out for National Bacon Lovers Day

    Food & Dining

    That's right: Sunday is the national day devoted to all things bacon, National Bacon Lovers Day. Which, really, isn't too different from the other 364 days of the year. But here's a little roundup of some special places to celebrate everyone's favorite meat snack (seriously, even vegans have a grudging respect …

    A creme-filled doughnut topped with maple frosting and bacon at Dough on MacDill Avenue in Tampa.
  4. The Penny Hoarder tops 79 fastest growing Tampa Bay companies on Inc. 5000


    ST. PETERSBURG — The Penny Hoarder today further cemented its reputation as one of the country's fastest growing companies. The personal finance web site business ranks 25th nationwide and tops in the Tampa Bay market for growth on the just released 2017 Inc. 5000 list of fastest growing businesses.

    One of the fastest growing startups in the country is St. Petersburg's The Penny Hoarder, a financial advice web site aimed at helping readers save money. Playing a game in the office is (right to left) founder and CEO Kyle Taylor, vice president of business operations Vishal Mahtani and executive editor Alexis Grant. [Courtesy of The Penny Hoarder]
  5. Here's what it's like inside a writhing, growling Howl-O-Scream audition


    TAMPA — At Busch Gardens, a Howl-O-Scream manager is hunting zombies.

    Auditioner Natalie Rychel, 20, of Tampa, Fla., high fives director of atmosphere Morgan Malice after being selected for a job for Bush Gardens' Howl-O-Scream during an audition at the theme park on Friday, August 11, 2017, in Tampa, Fla. (From left) Auditioners Jared Shipley, 20, of Lakeland, Fla., and Lincoln Scott, 41, of Riverview, Fla., look over. This year, Howl-O-Scream will take place from September 22 to October 29 at Bush Gardens. ALESSANDRA DA PRA  |   Times