Days after supermarket chain Hannaford Bros announced a data breach, the company finds itself defending a class action lawsuit, filed on behalf of customers who credit or debit card data was stolen.
The suit was filed in the U.S. District Court for the District of Maine by the law firm of Berger & Montague, PC. The complaint alleges that Hannaford was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker.
On March 17, 2008, Hannaford announced on its website that there was a "data intrusion into its computer network that resulted in the theft of consumer credit and debit card numbers."
The stolen data included "credit and debit card numbers and expiration dates," which were accessed from Hannaford's computer system "during transmission of card authorization." The intrusion affected all Hannaford stores located throughout the North Eastern U.S., as well as Sweetbay stores in Florida.
Published news reports indicated that 4.2 million unique credit and debit card numbers have been exposed to potential fraud. To date, there have been approximately 1,800 cases of reported credit and debit card fraud stemming from the breach.
The suit claims the breach began on December 7, 2007 but wasn't contained until March 10, 2008. Hannaford stated that it became aware of the breach on February 27, 2008. However, Hannaford did not publicly announce the breach until almost three weeks later, on March 17, 2008.
The suit maintains that because of Hannaford's inadequate data security, its customers have had their personal financial information compromised, have been exposed to the risk of fraud, have incurred and will continue to incur time to monitor their accounts and dispute fraudulent charges, and have otherwise suffered damages.
Company CEO Ron Hodge said the attack has been contained.
"No personal information, such as names or addresses, was accessed. Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions," Hodge said in a statement on the company's Web site.
"The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization," Hodge said.
Hannaford said it is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected. It said it has also alerted law enforcement authorities, and is working closely with them to help identify those responsible.