BY MEGHAN MALLOY

Staff Writer

Hannaford customer Jeffrey Hope didn't any waste time in trying to protect himself from becoming one of the hundreds defrauded.

"I was concerned, very concerned," the Winthrop resident said of the supermarket's widespread data theft.

He called Key Bank and immediately canceled debit cards in his and his wife's names and asked for new ones to be reissued because "it made to most sense to do."

That's one of the actions that security experts tell victims to do.

Hope, who does "a significant amount of shopping" at Hannaford, said even if his family didn't immediately become defrauded because of the breach, he worried there could be a chance that his data could be exposed later.

Hannaford this week announced that 1,800 unauthorized charges were made on customer cards from December 2007 through this month. The identities of 4.2 million customers were potentially exposed in the security breach.

Hope had to pay $10 to have two debit cards from Key Bank replaced, which had been the bank's normal reissuing policy.

But Key Bank spokesman Bill Murschel said Tuesday that all clients who feel "it is important to close their accounts for their safety" in light of the Hannaford breach can now have the fee waived or refunded.

Hannaford shopper Donna Trezza wasn't so lucky.

The Madison woman said someone has stolen her card numbers three times since Jan. 1, despite canceling and getting a new card after each episode.

The charges would occur, Trezza said, shortly after she used her debit card at a Hannaford.

"I couldn't understand where it was coming from," Trezza recalled. She said the most recent misuse of one of her cards was Monday, but the bank caught the suspicious activity before damage was done.

"I'm glad I know where the source is now," Trezza said. "I won't be going to Hannaford with my debit card anymore."

By law, people who learn that their debit card has been used by someone else have 48 hours to report it, or they can be liable for $500 or more of the defrauded charges.

Customers hit by credit-card fraud, however, have their losses limited to $50 per card, according to federal regulations. In most cases, victims aren't permanently liable for unauthorized charges, according to the Maine Bureau of Consumer Credit Protection.

As of early Monday, there had been fraudulent activity on 1,800 unique credit or debit cards, according to Hannaford spokeswoman Carol Eleazer. An updated number was not available on Tuesday. Eleazer said individual financial institutions are now handling reports of fraudulent activity and there is no central reporting agency keeping a running tally of all reports of fraud. Hannaford, based in Scarborough, said compromised cards were used in transactions at all 165 stores it operates, plus transactions at 106 Sweetbay stores in Florida and 23 independently run stores that use Hannaford operating systems. Hannaford Bros. is owned by Belgium's Delhaize Group. Eleazer said that while Hannaford could confirm that the security breach in their operating system was closed as of March 10, she could not definitively say whether any card numbers compromised during the breach could be used for fraudulent activity in the future.

She recommended consumers discuss this with their individual banks or financial institutions. Because no names, addresses or Social Security numbers were stolen, consumers do not need to worry about traditional identity theft, in which a criminal uses personal data to open new lines of credit. However, the compromised information included everything necessary for any kind of credit card purchase, whether by phone, online or in person, Eleazer said.

Eleazer said the company first got wind of the security breach on Feb. 27, when credit-card companies traced "unusual credit-card activity" to Hannaford customers. Thieves accessed card numbers and expiration dates as they were being transmitted for authorization in checkout lines.

The company used its own employees and hired an outside private firm to investigate the breach, working "24/7," Eleazer said. She could not describe the company's operating system or say whether it had been created specifically for Hannaford.

"Hannaford has never had a breach like this before," she said. "It's been quite a surprise to us in that we have state of the art technology

Hannaford has set up a special 25-member call center working 12-hour shifts to respond to customer queries, Eleazer said. The number is 1-866-591-4580.

MaineToday Media, Inc. contributed to this report.