News that more than 4 million credit and debit card numbers were potentially hacked from Hannaford grocery stores along the East Coast gives new meaning to the phrase “Cleanup on Aisle 3.”
The good news for consumers is that, if they quickly report fraudulent purchases, they won’t have to pay more than $50, with many banks waiving this amount.
The bad news is that this operation, which was among the first where data were stolen during the card verification process at the checkout, not while the electronic information was in storage, shows that illegal activity remains well ahead of detection systems and regulations.
Part of the reason for that, says Will Lund, superintendent of Maine’s Bureau of Consumer Credit Protection, is that detection systems can’t be too strict. Such systems look for patterns among the thousands of transactions individual cardholders make each year. A Bangor cardholder’s purchase in Boise might raise suspicion, but if the person is there on a vacation, a bank’s denying the transaction would not be welcome.
A better solution, and one likely to come out of the Hannaford breach, is for data to be encrypted at every step of every transaction. Apparently the Hannaford in-store system was considered a “closed” system or private network and was not encrypted, although the information was supposed to be transmitted over an encrypted line.
In a public or open system, such as for online purchases, credit and debit card information must be encrypted.
Last month, while the data breach was going on, Hannaford was found to be in compliance with security standards set by credit card companies. These rules were strengthened in 2005 after a large data breach at CardSystem Solutions, a payment processor.
Another disturbing aspect of the Hannaford breach is that the credit and debit card numbers alone were apparently enough to allow fraudulent activity on 1,800 cards in several states. Likely the numbers were used to make new cards with different names on them.
In Maine, this is also problematic because stealing just card numbers falls outside a new law meant to combat data and identity theft. The Notice of Risk to Personal Data Act, passed by the Legislature in 2005, requires notification of customers and state regulators in the event of a data breach, but only if both the cardholder’s name and another type of information, such as an account number, is taken. This shortcoming in the law should be quickly corrected by lawmakers.
In the meantime, the advice from state regulators is for consumers to scrutinize their statements and to quickly report fraudulent activity. That, or use cash.
Comments
comments for this post are closed