funsec mailing list archives
[privacy] State warns Hannaford about laws on data leaks
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 19 Mar 2008 08:38:14 -0400
http://www.boston.com/business/personalfinance/articles/2008/03/19/state_war ns_hannaford_about_laws_on_data_leaks/ Massachusetts officials yesterday warned the Hannaford Bros. supermarket chain that state law requires companies to promptly notify them of security breaches, following Hannaford's disclosure Monday that a data breach potentially exposed 4.2 million credit and debit cards to fraud. The law, adopted last year after a massive hack at Framingham retailer TJX <http://boston.stockgroup.com/sn_overview.asp?symbol=TJX> Cos., compels companies to notify the Massachusetts Office of Consumer Affairs and Business Regulation "as soon as practicable and without unreasonable delay" after a security breach involving state residents' credit card numbers and other sensitive personal data. The only exception is when law enforcement officials request a delay to protect a criminal investigation. As of yesterday, the consumer affairs office had not received official notifica tion of the security breach. Hannaford didn't publicly acknowledge the security lapse until Monday afternoon - after the Massachusetts Bankers Association issued a press release warning consumers about a major breach at an unnamed retail chain. The company, based in Maine, has said signs of the breach were uncovered three weeks ago, but said it delayed making the breach public until it had gathered enough information to give help to consumers. Yet, Hannaford's breach might be exempt from the Massachusetts law because of a technicality. Specifically, the state statute refers to security breaches involving personal information - defined as a resident's name in combination with a Social Security number, financial account number, or driver's license number. But Hannaford said credit and debit card numbers alone were potentially compromised. In fact, Hannaford said it doesn't store names at all. Hannaford said the breach affected more than 270 stores, including those in Massachusetts, Maine, New Hampshire, New York, and Vermont. The company is aware of at least 1,800 cases where cards were used fraudulently. The data breach, among the biggest since hackers stole as many as 100 million credit and debit card numbers from TJX in a case disclosed last year, lasted from December until March.
_______________________________________________ privacy mailing list privacy () whitestar linuxbox org http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
Current thread:
- [privacy] State warns Hannaford about laws on data leaks Richard M. Smith (Mar 19)