By Ross Kerber
The Boston Globe
March 28, 2008
A massive data breach at Hannaford Brothers Cos. was caused by a "new
and sophisticated" method in which software was secretly installed on
servers at every one of its grocery stores, the company told
Massachusetts regulators this week. more stories like this
The unauthorized intrusion the company disclosed on March 17 stemmed
from software that intercepted card data from customers as they paid
with plastic at store checkout counters, and sent the data overseas,
Hannaford's top lawyer said in a letter sent to Attorney General Martha
Coakley and Governor Deval Patrick's Office of Consumer Affairs and
The software was installed on computer servers at each of the roughly
300 stores operated by Hannaford and its partners. Hannaford did not say
how the software might have been placed on so many servers, and company
spokeswoman Carol Eleazer said the company continues to investigate how
the software was installed and other specifics of the breach. The Secret
Service, which pursues currency crimes, is conducting its own
Data security specialists say the new details show how hackers have
grown more adept at penetrating weak links in the systems that connect
merchants and banks. In previous breaches, such as the record-setting
intrusion at TJX Cos. of Framingham, where as many as 100 million card
numbers were compromised, hackers took advantage of merchants who stored
customer names and card data - sometimes in violation of payment
industry standards - at central locations in their computer networks.
In contrast, Hannaford says it did not store customer information. The
hackers who struck Hannaford mined a stream of data that the merchant
and banks were not responsible for protecting under industry rules,
industry specialists said.
The Hannaford breach "was markedly more sophisticated," said Steve
Rowen, a partner at Retail Systems Research of Miami, which does
consulting work for merchants.
The Hannaford breach also poses worrisome questions for the payment
industry as it struggles to tighten security. Hannaford, for example,
had met compliance standards set by Visa Inc. and other card companies,
but that did not stop the breach.
"Just because they are compliant, it doesn't mean they are safe," said
Graham Cluley, technology consultant for Sophos Inc., a Burlington
computer security firm. Card issuers and others need to find other ways
to improve security, he added.
"Clearly, consumer confidence is being shaken by this constant stream of
breaches," Cluley said.
Hannaford said in the letter that the problem potentially compromised
the account numbers and expiration dates on all 4.2 million credit and
debit card numbers used at its stores in six states between Dec. 7 and
March 10, though the actual number taken may be smaller. Hannaford said
it knows of about 2,000 cases of fraud related to the intrusion.
Hannaford's letter was sent by its general counsel, Emily D. Dickinson.
more stories like this
Dickinson wrote that an "illicit and unauthorized computer program"
known as "malware" was installed on the servers of each of the stores
the company operates in Maine, Vermont, New Hampshire, Massachusetts,
and New York, plus at stores elsewhere, including the Sweetbay chain in
Florida, that use its payment systems. Hannaford and Sweetbay are owned
by Belgium's Delhaize Group.
The malware intercepted the "track 2" data stored on the magnetic stripe
of payment cards as customers used them at the checkout counter,
Dickinson wrote. This track includes the card's number and expiration
date, but not the customer's name.
The data were taken "in transit for authorization from the point of
sale," the letter states, meaning as it was transmitted from the cash
register to one of the institutions that Hannaford uses to process
transactions. Eleazer said these include major card networks and First
Data Corp. of Denver, a major processor.
The malware on the store servers stored up records of these purchases in
batches, then transmitted them to an unnamed offshore Internet service
provider, the letter states. Foreign crime rings have been blamed in a
number of other payment card fraud cases.
"Law enforcement officials and others report that the method of illicit
acquisition is a new and sophisticated method in that it obtains data in
transit during the course of the authorization process," the letter
Cluley said the software could have been installed remotely. This could
have been accomplished through a breach of the company's firewall.
Alternatively, the servers may not have been running the latest security
patches, or may have had antivirus programs that weren't updated.
Hannaford stated in the letter that it has replaced the hardware on
which the malware was installed. Cluley said that could suggest a
company insider or a technician for one of its vendors could have placed
Executives of Visa Inc. of San Francisco, the largest payment card
company, issued a statement yesterday saying it is working with
Hannaford, banks, and law enforcement.
Hannaford said in its letter that it was certified a year ago as meeting
card security standards and was recertified on Feb. 27. Eleazer said
that was the day Visa first notified Hannaford of unusual card activity
and began its investigation. That the standards did not stop the
thieves, she said, "speaks to the increasing sophistication of the
criminal element that propagates these attacks," she said.
Copyright 2008 Globe Newspaper Company.
Subscribe to InfoSec News