The thefts, which occurred while the cards were being verified for purchase, already have resulted in at least 1,800 incidences of fraud, the Scarborough, Maine company said. No personally identifiable information, such as names and addresses, were compromised.
The merchant, which operates more than 150 Hannaford stores in New England and New York, and Sweetbay stores in Florida, detected the attack on Feb. 27 after it was made aware of suspicious credit card activity affecting some customers.
"We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry," Hannaford President and Chief Executive Officer Ronald Hodge said in a Monday letter to customers. "The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization."
Hannaford said it encourages customers who have made purchases at its stores during the past three months using credit and debit cards, and who suspect fraudulent activity on those accounts, to notify their card issuers and banks.
The Massachusetts Bankers Association (MBA), which represents 207 banks and savings and loan institutions in the state, said on Monday in a statement that Visa and MasterCard notified some 60 to 70 banks about the breach.
The two credit card brands did not release the name of the compromised merchant to the banks, the MBA said. The association said it is trying to require brands to release the name of the offending retailer.
In December, the MBA and two other bankers groups settled with Framingham, Mass.-based TJX over the discount retailer's record breach in which 45.7 million card numbers were exposed to wireless hackers. Court filings, meanwhile, have placed the number twice as high.