Skip Links

Details emerging on Hannaford data breach

Malware loaded onto Hannaford servers let attackers intercept credit card data

By , Network World
March 28, 2008 02:01 PM ET

Network World - Hannaford Brothers Cos, which earlier this month disclosed a data breach involving credit cards at its supermarket stores, this week shared more information with Massachusetts regulators about the ongoing investigation into the incident.

In a letter to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick’s Office of Consumer Affairs, Hannaford’s general counsel Emily Dickinson shared details that Hannaford is uncovering in its investigation.

The letter stated that malware loaded onto Hannaford servers allowed attackers to intercept card data stored on the magnetic stripe of payment cards as customer’s used them at the check-out counter, according to information Hannaford provided to the Massachusetts Attorney General. That information, taken in transit from the point of sale, included card number and expiration date but not the customer’s name. The attack resulted in card data being transferred overseas and has resulted in 2,000 known cases of fraud.

“It’s an evolving situation,” said Carol Eleazer, vice president of marketing at Hannaford, noting that the computer forensics reports have not yet been completed on the data-breach incident.

Hannaford’s security investigators, whom she wasn’t at liberty to name, are calling the attack “sophisticated.” She said the U.S. Secret Service is also involved in finding out how the data breach occurred.

The attack was successful in spite of the fact that Hannaford is compliant with the Payment Card Industry rules for proving adherence to the PCI data security standards by undergoing an elaborate — and usually expensive — examination and certification required by card associations, including Visa and MasterCard.

PCI also has requirements for periodic vulnerability scans. Hannaford says it received PCI certification last year and was recertified on February 27.

Not surprisingly, the Hannaford data-breach case has already elicited a few customer lawsuits

Some analysts regard the ongoing Hannaford case as raising important and unanswered questions about PCI and its purpose.
If the attackers in the Hannaford case initially captured data from the point-of-sale device to a server in the store, they may have known that data isn’t required under PCI to be encrypted at that point, notes Avivah Litan, vice president at Gartner and an expert in computer network security used in retailing.

“PCI only calls for the need to encrypt across an open network, usually the Internet or wireless,” says Litan. “In retailing, you almost never encrypt between the cash register point of sale and the store server.”

As more information about the Hannaford data breach becomes known, there may be some industry effort to broaden the encryption requirement. However, Litan’s opinion is that requiring additional encryption would not necessarily be a good move because it would entail huge costs to retailers processing card data. Besides, she points out, the vulnerability scanning called for in PCI should address server weaknesses that would allow malware to be loaded onto a server.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News