Fabienne Mostrum discovered her debit card numbers had been stolen again when Publix refused to honor the card. Her online check of the account confirmed a thief charged $630 in a Maryland Wal-Mart.
Her credit union, which had canceled the card, mailed a replacement. But she spent four hours figuring out what happened, a weekend with no cash and days worrying about the implications like whether her automatic mortgage payment would bounce.
It was the fifth time Mostrum's card account was hacked from a retailer's data transmission, this time at Sweetbay Supermarket. "It's outrageous these retailers are so careless with your personal information," said the 44-year-old St. Petersburg resident.
Most experts advise: Get used to it.
Cyber crooks are getting smarter about stealing and selling payment card details to other crooks who try to turn them into cash. Since 2005 records on more than 223-million people have been exposed in unauthorized data breaches, according to the Privacy Rights Clearinghouse. The number of reported cases tripled in the past three years.
But only about one in 10 credit-related data breaches is publicly disclosed, according to Gartner Inc., a high-tech research firm. While many bankers themselves are frustrated by delays learning of retailer breaches, few will name the store to customers.
It's one of the risks unmentioned in the latest Visa commercials featuring care-free customers swirling through a buffet and zipping by the cash register like they're on a nonstop carousel. But even though their banks canceled the bogus charges, many victims of the Sweetbay hack want off the merry-go-round.
The Tampa grocery chain announced March 17 that most customers' credit and debit card account numbers and personal identification numbers had been exposed in a transmission breach that lasted from Dec. 7 to March 10. Many victims criticized the grocer, which discovered the breach on Feb. 27, then waited 19 days before telling anybody.
The Secret Service is investigating how thieves tapped into the data transmissions that exposed 1.6-million payment card numbers at Sweetbay stores in Florida plus 2.6-million more at its 165-store corporate cousin, Hannaford Bros. in New England.
Four class-action lawsuits were filed in Tampa and Portland, Maine, on behalf of victims. Two big questions were asked: When did the grocer really discover the hack attack? And why did the chain wait so long to reveal it?
"That was as fast as we could get all the information together, understand how this incredibly sophisticated attack was done to our system and get it patched," said Carole Eleazer, Hannaford vice president of marketing.
The breach did not reveal personal information like names, addresses or Social Security numbers that would make it easier to steal someone's identity. Nonetheless news of the breach gave exasperated Tampa Bay residents more clues to trace as they try to unravel how thieves swiped their identities months ago.
"I'm not using that card again," said Sandra Rouse, a 58-year-old Zephyrhills teacher whose card was canceled when someone in Brazil tried to charge $180 on it. "I presume it was Sweetbay because I read about the breach and I use the card there."
It's her third new card in two years blamed on a data breach.
Diane Christy stumbled onto the theft during a routine online check of her debit account. Somebody spent $440.82 at Dell Computer in Texas. The Port Richey resident called the bank and Dell's fraud unit before the order was delivered. The card number came from Sweetbay because she read about the breach and realized it was the only store where she used it.
"Shame on Sweetbay for not having better security," she said.
The nature of breaches forces retailers to trace them through bogus transactions brought to their attention. Then they work backward to figure out what happened. Breaches of unencrypted data could be anyone. Encrypted data theft makes rogue insiders suspects.
Laws in more than 30 states including Florida require disclosure. But there's lots of wiggle room for retailers. In Florida, for instance, a breach must be reported within 45 days. But that's only if the transmission is not encrypted.
While victims blame stores, experts blame the banks, too.
Both have tolerated a mixed bag of dated card number transmission networks to proliferate. The system encourages retailers to prod shoppers to use riskier credit cards while rewarding banks with higher fees.
"PIN encryption is far more secure than a credit card," said Avivah Litan, security fraud analyst with Gartner.
The banks enforce their card security standards through a sort of no-harm, no-foul system that protects shoppers from fraudulent charges.
If a retailer is lax, the chain is fined for not meeting standards set by an industry group called the Payment Industry Council.
In a recently settled TJMaxx/Marshals breach, which exposed 46-million card numbers, the $41-million fine reimbursed banks for their losses.
"The standards are designed only to remove the low hanging fruit among the large number of retailers who are the least protected," said Rob Lee, a principal with the data security firm Mandient Corp. in Alexandria, Va. "But nobody is unhackable anymore, so we're going to see more of these cases."
Yet while victims may want to know about breaches sooner, experts say its unclear what victims could do except shop elsewhere. Historically only a tiny fraction of compromised card numbers are used fraudulently.
Card issuers, which use math to pinpoint card fraud patterns in real time, cancel suspect numbers or put them on a watch list before damage can be done.
For instance, of the 4.2-million Hannaford/Sweetbay numbers exposed, so far fewer than 2,000 attempted fraudulent transactions have surfaced.
"I've been notified six times of breaches and only once did anything happen," said Mandient's Lee. "That was when somebody behind me in line overseas copied my card number and tried to use it."
The Hannaford/Sweetbay breach, however, is different from other highly publicized hack jobs. The 2005 TJMaxx breach, which started at two Marshalls in Miami and went for 18 months, was done by thieves intercepting unencrypted wireless card data on a laptop in parking lots.
Hannaford/Sweetbay says its only wireless data is encrypted and limited to inside stores. It is the first case of a network certified by a third party to meet payment council standard while the breach was under way.
But as lawyers argue about who is liable, expect little change in breach disclosure.
That's because consumers are not being hit up for the losses. Retailers are. Meanwhile, the banks keep collecting 3 percent or so of each card transaction.
"The process works quite well for the banks," said Robert Richardson, director of the Computer Security Institute in San Francisco. "Losses have rarely been as extreme as feared and generated little public outcry for more disclosure, so we're not in a climate of much legislative concern."
Times staff writer Ilyce Meckler contributed to this report. Mark Albright can be reached at [email protected] or (727) 893-8252.