About 4.2-million Visa, MasterCard and Discover credit and debit card numbers — 1.6-million of them used at Sweetbay Supermarkets in Florida in the past three months — were exposed to hackers who tapped into the computer network at Hannaford Brothers grocery chain in Portland, Maine.
Hannaford, which runs 160 stores in New England, also processes transactions for its 106-store corporate sibling Sweetbay, which operates on the west coast of Florida.
So far, fewer than 2,000 transactions have been identified as fraudulent. But investigators are not sharing the details, including the type of fraud.
"We're just starting our investigation," said Malcolm Wiley, spokesman for the U.S. Secret Service, which probes counterfeiting and many computer-related crimes.
The security breach exposed payment card account numbers for any transaction handled at a Sweetbay between Dec. 7, 2007, and March 10.
Sweetbay officials, in apologizing for the "intrusion," suggested Monday that customers doublecheck card or bank statements for unauthorized or unfamiliar transactions. Call the bank or card issuer, or both, if something looks suspicious.
Sweetbay does not know the names or personal identification of its customers. So it said it has no way to call anyone to ask for added personal information in connection with the case.
Visa officials declined to comment on the case except to say card holders are not liable for any loss triggered by fraud. Visa is notifying card issuers of compromised accounts and is prepared to issue thousands of new account numbers if necessary.
The hack is the latest in a growing type of organized retail theft plaguing companies that handle massive amounts of payment card data, including TJMaxx parent TJX Cos. and First Data's Western Union unit.
TJX last month paid $41-million to settle with the card companies after its security was partly blamed for a 2005 hack that exposed 46-million credit card numbers to thieves.
Hannaford learned of the hack when a card payment clearinghouse on Feb. 27 spotted an unusual number of transactions.
Quoting an unidentified source in the investigation, the Wall Street Journal online said Monday that the card numbers have turned up in transactions in Detroit, Houston, France and Brazil.
Unlike TJX, where hackers intercepted wireless signals from outside a data-processing center, Hannaford only uses encrypted wireless signals to transmit numbers inside stores. Transmissions to the computer in Maine go through telephone lines.
By March 8 the company and its computer security consultants felt confident enough in pinpointing the dates of the breach to make repairs that were completed March 10.
"We have our arms around the problem, but given our state-of-the-art system, it was a real surprise that we were under attack," said Carol Eleazer, spokeswoman for Hannaford. "This was an incredibly sophisticated scheme."
Hannaford and Sweetbay don't collect personal information on their customers. So the information compromised was limited to card numbers and expiration dates.
That's typically not enough to create a stolen identity. Thieves typically rush to use card account numbers to make purchases online or to create counterfeit cards or bogus gift cards to transform account numbers into cash. Doing so requires blank cards and machines that can read other security tracking data embedded in the cards. Retail security groups have complained that the equipment needed is readily available from online auction sites.
Mark Albright can be reached at email@example.com or