"For more than 125 years, Hannaford has been dedicated to earning the trust of our customers, and we sincerely regret any concern or inconvenience this has caused," said Ronald C. Hodge, Hannaford president/CEO in a prepared statement. "We have taken aggressive steps to augment our network security capabilities. Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions," he added.

The company has confirmed that it had been audited and certified as compliant with the PCI standards and that it had been so recently. "From everything we have learned since the breach occurred," said Hannaford Vice President Carol Eleazer, "this was a very sophisticated and well-planned operation. We still have not identified how precisely they got in but have fallen back and are examining everything."

Eleazer also said the firm had a policy of continuous improvement that it used to make sure its data security kept pace with whatever technological improvements and upgrades that it adopted.

The ability of the thieves to crack a retailer that was PCI compliant may cast doubt on the mechanism that the card industry has been hoping would provide the degree of security against data breaches. The Associated Press also reported that the breach took place when card data was intercepted while being sent to the bank for confirmation, but the company has not yet confirmed this.

According to Rebekah Higgins, card services manager at Synergent, the service subsidiary of the Maine Credit Union League that handles card services and processing for many Maine credit unions, "Because the compromise occurred at a major Maine retailer that so many Maine people use on a regular basis, the impact and cost of this compromise will be significantly higher than the TJX compromise last year." Higgins said a number of credit unions have already begun reissuing their entire card base.

John Murphy, president of the Maine Credit Union League and Synergent, explained, "In this case, as is often the case in data breaches and compromises, the financial institution has done everything right and it is the merchant who bears full responsibility of the compromise. Unfortunately, though, typically credit unions and other financial institutions bear most, if not all, of the costs associated with the compromise, such as reissuing the cards, staff resources and communications with members. We are strong advocates that the time has come to shift the financial burden from the financial institution to the source of the breach because, in the case of credit unions, every member-owner is affected by the breach."

Murphy did not estimate the overall cost of the breach since the league was focused on helping member credit unions work through the close and reissue process and because so many of the attendant costs differ from credit union to credit union. He also said the league had not yet decided whether or not to sue on behalf of its member credit unions.

If the league does take Hannaford to court, it may have wait in line behind other litigants. Media sources have reported that two law firms, one based in Philadelphia and the other in Maine, have already filed class-action lawsuits on behalf of Hannaford customers.

According to court documents in one of the suits, attorneys are charging the retail chain with inadequate data security resulted in the compromise of the personal financial data of consumers, thereby exposing them to the risk of fraud.

The class-action suit also charged the company with negligence and breach of implied contract and sought to recover any damages that might be caused to consumers as a result of the breach. Hannaford failed to live up to the implicit understanding that a business will safeguard the financial information of its customers, the suit claimed. The suit also noted that the chain had apparently not notified consumers in a timely manner.

Whether or not a CU lawsuit moves forward, credit unions across Maine are facing the question of whether or not to close and reissue every account that has been affected in the breach or to merely put them on a watch list. So far, roughly 1,800 accounts have incurred fraudulent charges, and the U.S. Secret Service has confirmed that it is investigating.

And the breach has also begun to play a role in the fight to get laws passed to require retailers to repay card issuers for losses incurred during these breaches. In Wisconsin, retail lobbyists succeeded in killing proposed legislation that would have made Wisconsin retailers accountable for card breaches, and the Wisconsin Credit Union League was quick to jump on the Hannaford breach as example of the fundamental problem.

"If you oppose simple, common sense consumer protection legislation, be assured that the consumer will be left holding the bag–and paying the cost–again," said Brett Thompson, president/CEO of the Wisconsin Credit Union League in a prepared statement.

The league supported state legislation–AB 745, introduced by Representative Brett Davis (R-Oregon) and its Senate companion bill, SB 439, introduced by Senator Bob Wirch (D-Pleasant Prairie)–which would prevent the storage of personal card data by merchants following a transaction.

The League-supported legislation would have held a merchant liable for costs related to re-issuing consumers' cards and monitoring accounts for fraud but only if the breach had occurred at some point outside the processing of a transaction.

"Even when the rules are followed, data is vulnerable to attack. So why would we not pass legislation that makes card security tighter by preventing risky merchant practices that fall outside the rules?" Thompson asks.

It's unclear at this point whether Hannaford would have been liable under the Wisconsin law for this breach since the data may have been lost during processing.

–[email protected]