PORTLAND, Maine A federal judge here dealt victims of a 2007 cards breach at Hannaford Bros. a major defeat last week when he refused to certify the group for class action status in their civil suit against the New England supermarket chain.
The judge ruled the cardholders failed to prove the necessary requirements for a class and therefore must sue the company individually if they continue their claims.
Millions of credit union and bank cardholders had their personal information stolen in the Hannaford Bros. breach. It turned out the company was one of a dozen major companies, including Sports Authority, Barnes & Noble and TJX, breached by hacker who was a one-time federal informant. Albert Gonzalez, a 28-year-old college dropout, is serving a 20-year sentence in federal prison in Massachusetts, where the TJX breach occurred. Other companies hit included BJ’s Wholesale Club, Office Max, 7-Eleven, Heartland Payment Systems, and Dave & Busters.
Among others findings, the judge in the Hannaford case ruled the cardholders failed to prove significant damages, even though most of the plaintiffs bought identity theft protection after their information was breached. That is because Hannaford set up a fund to reimburse customers whose accounts were breached for such costs.
The case illustrates how difficult it has been for both cardholders and financial institutions to win legal claims in breach cases. Several other courts have dismissed credit union claims in recent years where the legal liability has been questioned.
Most of the hacking by Gonzalez and his accomplices took place in Miami, where they would drive by major retailers and try to penetrate their databases on laptops in the parking lots. When successful, they downloaded to servers in Latvia and the Ukraine, according to court records. The credit card information eventually was passed on to master Ukrainian card seller Maksym Yastremskiy, who sold it to thousands of individuals in the online underground or at websites. The stolen data was used to create counterfeit credit cards, which then were used to buy merchandise or withdraw millions of dollars in cash from ATMs.
Yastremskiy, who earned $11 million from card sales, was captured in Turkey in 2007. In 2009 he was sentenced to 30 years in prison by a Turkish court.
