Tuesday, March 18, 2008

Credit Card Breach at Hannaford.

Corporate Governance (CG) is a term usually associated with CEO compensation, Board Composition, Director Independence etc. These are some of the factors that governance rating companies most commonly consider.

CG is the accountability or responsibility that a company has towards all its stakeholders. Now the word stakeholders conjures up images of shareholders, employees and other internal constituents of a company. An important often overlooked stakeholder is the customer and in the case of the retail industry, one of the most critical. Imagine a concentric circle within which you have the shareholders in the innermost circle followed by the management or employees, then the Board followed by vendors, customers, banks, regulators, and the circle gets bigger and the list gets broader. CG expectations mandate that the company presents itself as a responsible corporate citizen to not just its inner circle stakeholders but to the surrounding circles as well.

The credit card fraud at TJX and the most recent one (reported today)at Hannaford Bros Co., a grocery chain in the U.S. (a group company of Delhaize SA) are prime examples of instances where a company fails in fulfilling its responsibility towards its external stakeholders. The computer intrusion at TJX went on for 18 months before being discovered. The worst part was the audacity with which it was executed. There were 3 different ways in which the attack was carried out including one where the credit card processing terminal was replaced.

The Hannaford breach has reportedly affected close to 4.2 million credit and debit card numbers. The breach occurred at over 200 stores in the U.S. The modus operandi in this case as with TJX was breach during credit card transmission. Close to 2000 fraud cases related to this breach have already been reported. On the Hannaford company website, you will find the CEO’s apology to customers and a brief mention that they promise to cooperate fully with the authorities handling this probe. Now on the other hand if you visit the corporate website of Hannaford’s parent company (Delhaize SA), there is no mention of this credit card breach, no apology or update on steps being taken to combat this problem that was discovered on February 29th and this despite the fact that out of Delhaize’s 2545 stores, 1570 are based in the U.S. It would be interesting to find out whether the same procedures for credit card transmission were in effect in all its U.S. stores (beside Hannaford and Sweetbay, there is Food Lion). Another point to note, the company’s credit rating has been recently (Mar 11th) elevated by S&P to BBB- (investor grade positive outlook)from a BB+ (investor grade stable outlook).

Ironically, Hannaford was certified as PCI compliant last spring and once again in February

1 comment:

  1. Tejus Trivedi: Legally speaking, we can't expect the PCI to keep pace with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. --Ben