Hannaford Brothers, a supermarket chain operating in the northeastern United States, disclosed in March 2008 that its point-of-sale systems had been compromised by malware that stole approximately 4.2 million credit and debit card numbers between December 2007 and March 2008. The malware intercepted card data during the brief window when it was unencrypted in transit from the card swipe to the payment network — before encryption was applied. The breach is particularly significant because Hannaford was fully PCI-DSS compliant at the time of the breach and had recently passed a compliance audit. This case became a landmark argument that PCI-DSS compliance does not equal security, and helped drive the PCI-DSS standard toward requiring encryption of data in transit within the store network (not just external transmission). Hannaford faced multiple class action lawsuits and paid approximately $15 million in settlements.