By Renee Worthing

Register Reporter

The fallout continues in the wake of a security breach involving 4.2 million credit and debit cards used at Hannaford during a three-month period.

At least two potential class action lawsuits have been filed in response to the March 17 announcement that credit and debit card information was stolen.

Michael Fantini, a partner at the law firm Berger & Montague based in Philadelphia, Pa., said his firm filed a class action lawsuit in U.S. District Court for the District of Maine on behalf of Massachusetts resident Greg Doherty who used a debit card Jan. 25 to purchase $88.15 worth of merchandise at a Hannaford in Quincy, Mass.

The two-part suit alleges negligence and breach of implied contracts on the part of Hannaford.

According to the suit, Hannaford “failed to maintain adequate computer data security.”

The suit also alleges Hannaford breached the implied contract that it would safeguard information and notify customers promptly of “any and all theft” of (credit and debit card) information.

Hannaford Supermarkets Spokesman Michael Norton said the company became aware of unusual activity on Feb. 27.

He said an immediate investigation revealed a “window of time of about three months before, when the payment systems were attacked.”

“There is a potential exposure (of card information) in all 165 stores,” Norton said.

He said the information that was breached did not include names, driver’s license numbers or social security numbers.

“There is a complexity in making electronic payments an easy and convenient thing,” Norton said. “We will harden our system. It (breach) has never happened before and we don’t want it to happen again.”

Norton said federal agents are involved in the investigation.

“This is a serious crime,” he said, noting the United States Secret Service is routinely involved in investigations involving data intrusion.

He also said Hannaford would not contact customers by phone or e-mail regarding the breach of data.

According to the lawsuit, “the three month delay in detecting the breach casts doubt on Hannaford’s intrusion detection procedures and system monitoring controls.”

The suit alleges although Hannaford first became aware of unusual credit card activity on Feb. 27 but did not publicly announce the breach until March 17, nearly three weeks later.

Fantini said he received between 20 and 40 phone calls from people who may be considered part of the class action lawsuit.

“It’s going to become more widespread,” he said.

Fantini said Berger & Montague has handled these types of cases before, including being co-counsel in the TJX security breach in 2007 that affected “tens of millions” of credit and debit cardholders.

Another potential lawsuit was filed by the law firm Lanham and Blackwell based in Bangor.

Samuel Lanham said the suit was filed on behalf of Melinda Ryan in northern Maine.

“As of right now, there is no class,” Lanham said.

He said the court must first certify the suit as a class action lawsuit.

“There is an awful lot to be done,” he said.

Lanham said there were multiple cases to be filed in multiple states.

“I fully expect everything will be assigned to one judge who will cover the whole kit and caboodle,” Lanham said.

He said Hannaford had an obligation to ensure a third party could not gain access to customer’s personal and private information.

Lanham said his office has not handled these types of cases before and said this was a “new [type of] litigation.”

“We’re finding a new wave of theft [with computers] and the legal system will put a stop to it,” he said.

The suits follow a week of reassurance from local banks that customers’ accounts are safe.

Town and Country Federal Credit Union, which has branches in Portland, Scarborough, Saco and two in South Porland was notified by VISA March 13 of a compromise of credit and debit card information, President and CEO Chris Daudelin said

“We did not officially know (who) the retailer (was) until Monday (March 17),” he said.

“We really want to emphasize that no customer will pay for any fraudulent activity,” Daudelin said. “Our Zero Liability fraud protection for all VISA debit and credit cards means customers have 100 percent protection.”

He said any suspicious activity should be reported to the bank immediately.

“We will research it and notify local authorities,” he said.

Kennebunk Savings Bank Senior Vice President Martha Muldoon said she received about 70 calls from concerned customers as of March 19.

“We have assured each of them that they are not responsible for fraudulent activity on their account,” Muldoon said.

Kennebunk Savings Bank serves customers at 13 locations, including Biddeford, Kennebunk and Sanford.

She said any suspicious activity will result in the debit or credit card being deactivated, and a new card issued.   Muldoon encouraged Kennebunk Savings Bank customers to closely monitor their accounts through the Internet rather than waiting until bank statements arrive in the mail.

“I’m so disappointed that a prestigious company like Hannaford would leave itself open to compromise,” she said. “The banks have to pay for this.”

She said Hannaford customers who wrote checks for their purchases should not be concerned because check information is sent electronically.

She said she knew of at least one customer who received an e-mail that appeared to originate from Kennebunk Savings Bank.

She said the e-mail featured the Kennebunk Savings Bank logo and advised the recipient that fraudulent activity had occurred. It also said the bank had closed the account.

“It looked official,” she said. “The e-mail included a number to call to begin the process of reactivating the account. Kennebunk Savings Bank does not send these kinds of e-mail.”

She said the telephone number provided on the e-mail is answered by an answering machine that falsely announces the caller has reached Kennebunk Savings Bank.

She said this kind of e-mail, called “phishing” is a fraudulent attempt to acquire personal or financial information by someone not associated with Kennebunk Savings Bank, and an alert regarding “phishing” has been posted on the Kennebunk Savings Bank Web site.

“We will not contact you via e-mail or phone,” he said.

He said if someone receives a telephone call or e-mail from someone claiming to be a financial institution representative, it is important not to divulge any information.

Key Bank Public Affairs Representative Lynne Woodman said Key Bank monitors debit card activity every day.

“When we learned of this data breach, we increased our level of surveillance on client debit cards,” she said. “If we identify suspicious activity on a debit card, we will alert that client directly. The alert is usually a phone call, and if the client asks, we suggest a return phone call to our toll-free line to verify our identity. We never ask for identifying information when verifying transactions. We always advise clients to monitor their accounts closely, via statements, online or via Key’s toll-free call centers and report any suspicious activity immediately.”

“We certainly would not call seeking personal information,” Hannaford representative Michael Norton said. “We are happy to talk to our customers, but we won’t be requesting your name unless you contact us first. Even then, we won’t ask for personal information.”

While banks were busy assuaging concerned customers, shoppers at the Sanford Hannaford seemed unfazed by the breach soon after it was revealed.

Sanford resident April Leeman, said she was initially concerned about writing a check at Hannaford until she called her mother who works at a bank.

“I’ll definitely keep an eye on my statements,” Leeman said. “This (breach) makes me look twice. It’s always in the back of my mind, but I won’t stop shopping at Hannaford.”

Jan Webber of Sanford said on March 18 she was shocked when she heard about the security breach.

“I don’t pay by credit, I pay cash,” she said.

Sue Creteau of Shapleigh also said she  pays only by cash.

“It doesn’t affect me all,”she said.

Sanford resident Ron Cote said he and his wife always check their bank statements carefully.

“My wife was already on it this morning,” he said.

Hannaford Bros. was purchased by Belgian-based  DelHaize in 2002.

According to the DelHaize Web site, DelHaize America also operates under the names Hannaford, which became a subsidiary of DelHaize America in July 2000, as well as Food Lion, Bloom, Bottom Dollar, Harveys Bros., Kash n’ Karry and Sweetbay.