By REBECCA EVERETT
@GazetteRebecca
Last modified: Thursday, November 06, 2014
EASTHAMPTON — Local bankers said this week that data breaches at some retailers in Easthampton and Southampton, including Big E’s Supermarket, appear to be over, thanks partly to businesses’ efforts to upgrade security.
Easthampton Savings Bank President and CEO Matthew S. Sosik said banks are always dealing with some level of fraudulent activity, but things have quieted down substantially. “There’s really no activity now, nothing that can be pegged to a local business,” he said.
Lynn Star, chief information officer at the bank, said the fraudulent activity really dropped off in August. Monica Curhan, a spokeswoman for Florence Savings Bank, agreed.
“This is the normal cycle, the normal pattern for a breach,” Sosik said, as long as merchants and banks work together to stop the fraud.
Payment systems at some local retailers were hacked and started leaking card information to fraudsters in April, Sosik said, but in the following months, most affected businesses installed more secure payment systems.
Banks also stepped up their fraud monitoring. The result is that what was once a fruitful community for the fraudsters is no longer so, Sosik said. Even if the hackers keep getting card information, vigilant banks are often able to see and stop the fraudulent charges before they go through. If fraudulent charges did go through, banks reimbursed cardholders.
“But to have that cycle, merchants have to be accountable,” he said.
Big E’s Supermarket, which the attorney general’s office last week confirmed was one of the breached businesses, is “a great example of accountability,” Sosik said.
One store’s experience
During the height of the fraudulent activity, bankers and law enforcement officials refused to release the names of the businesses affected by data breaches because they said they had no way to be sure. Sosik at the time said he believed a “handful” of Easthampton businesses and one or two in Southampton were hacked, and thousands of people had their cards compromised.
Last week, in response to a public records request, the attorney general’s office provided a letter that Big E’s Supermarket President Judith LeBel sent June 25. The letter notified Attorney General Martha Coakley that a data breach at the store had affected “over one hundred Massachusetts residents.”
LeBel provided a statement to the Gazette this week, detailing the steps the store took to fix the problem. She said cardholders’ information was compromised over two days in May.
On May 12, she said, store personnel heard from two customers who believed that their cards had been compromised at Big E’s. Supermarket officials immediately contacted the vendor that provides the point-of-sale terminals (where people swipe their debit cards), who scanned the system and found that it had likely been breached on May 10.
By the end of the day May 12, LeBel said in the statement, the vendor had removed the virus and reformatted all point-of-sale terminals to fix the problem.
LeBel said the store’s payment terminals were replaced on May 16 and again in August with more secure systems that use encryption to prevent data breaches. “This means that as soon as our customer swipes their card, the information is encrypted and remains encrypted until it reaches our processor,” she said. A new server was installed in the end of June, she wrote.
“The attorney general’s office contacted us in August and was satisfied with what we had done in regards to this possible breach,” she said in the statement.
Store leaders have been proactive throughout the ordeal, she said, and will continue to regularly scan the systems to ensure they have not been hacked. “After being in business for 36 years, this is the first incident that we have experienced concerning our front-end system. We understand the concerns of our customers and want to assure them that we have done everything possible to ensure that their credit card/debit card information is secure.”
Security assurance
Until early August, the Gazette heard from local residents who believed their cards continued to be compromised at Big E’s. But LeBel maintains that cardholders’ information was only hacked during a few days in May.
LeBel said she and other store personnel met with the point-of-sale vendor and processor in June.
“They assured us that our system was safe and the new encrypted card readers installed in May could not be compromised,” she said in the statement.
“It is possible these customers shopped during the few days when our system was compromised and this information was not used until months later,” she said. “It is also possible they could have shopped at our store and another compromised business (and there were several in town) and once again this information wasn’t used until months later.”
The Gazette asked the attorney general’s office for any documents that named Easthampton or Southampton businesses that had been rumored to be breached, but only received the letter Big E’s Supermarket sent in June. In her statement, LeBel expressed surprise that the supermarket was the only retailer to contact the attorney general’s office.
“In June, the Secret Service visited our location and did several scans on our system. Apparently, many businesses in our immediate area had also been compromised,” she said. “They informed us that it was our responsibility, as well as all the other businesses that had been compromised, to notify the attorney general’s office concerning this possible breach.”
But in a statement to the Gazette, the attorney general’s office said state law on the topic requires retailers to notify the banks that own or license the card information. The banks, in turn, are required to inform the attorney general’s office, the director of consumer affairs and business regulation, and the affected cardholders about the breach.
Rebecca Everett can be reached at reverett@gazettenet.com.