funsec mailing list archives

Previous By Date Next
Previous By Thread Next

[privacy] State warns Hannaford about laws on data leaks

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 19 Mar 2008 08:38:14 -0400
http://www.boston.com/business/personalfinance/articles/2008/03/19/state_war
ns_hannaford_about_laws_on_data_leaks/

Massachusetts officials yesterday warned the Hannaford Bros. supermarket
chain that state law requires companies to promptly notify them of security
breaches, following Hannaford's disclosure Monday that a data breach
potentially exposed 4.2 million credit and debit cards to fraud.

The law, adopted last year after a massive hack at Framingham retailer TJX
<http://boston.stockgroup.com/sn_overview.asp?symbol=TJX> Cos., compels
companies to notify the Massachusetts Office of Consumer Affairs and
Business Regulation "as soon as practicable and without unreasonable delay"
after a security breach involving state residents' credit card numbers and
other sensitive personal data. The only exception is when law enforcement
officials request a delay to protect a criminal investigation.

As of yesterday, the consumer affairs office had not received official
notifica tion of the security breach. Hannaford didn't publicly acknowledge
the security lapse until Monday afternoon - after the Massachusetts Bankers
Association issued a press release warning consumers about a major breach at
an unnamed retail chain.

The company, based in Maine, has said signs of the breach were uncovered
three weeks ago, but said it delayed making the breach public until it had
gathered enough information to give help to consumers.

Yet, Hannaford's breach might be exempt from the Massachusetts law because
of a technicality. Specifically, the state statute refers to security
breaches involving personal information - defined as a resident's name in
combination with a Social Security number, financial account number, or
driver's license number. But Hannaford said credit and debit card numbers
alone were potentially compromised. In fact, Hannaford said it doesn't store
names at all.

Hannaford said the breach affected more than 270 stores, including those in
Massachusetts, Maine, New Hampshire, New York, and Vermont.

The company is aware of at least 1,800 cases where cards were used
fraudulently. The data breach, among the biggest since hackers stole as many
as 100 million credit and debit card numbers from TJX in a case disclosed
last year, lasted from December until March.


_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
Previous By Date Next
Previous By Thread Next

Current thread: