By Jaikumar Vijayan
April 2, 2008
In a security breach that sounds similar to the one disclosed by
Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in
Vermont announced this week that data from more than 46,000 credit and
debit card transactions may have been compromised during a system
intrusion over a 16-day period in February.
Okemo said in a security advisory released on Monday that the breach may
have affected customers who used their payment cards at the resort in
Ludlow, Vt., between Feb. 7 and Feb. 22, the time frame when the
intrusion took place. The intruder or intruders may also have accessed
data from card transactions processed between January and March 2006,
according to the advisory.
Bonnie MacPherson, a spokeswoman for Okemo, said today that at least
some of the data appears to have been stolen as the recent payment card
transactions were being authorized. "We can tell you that this was a
real-time theft," McPherson said. "The information was being taken as
the cards were being swiped."
If that is actually the case, it could make the breach at Okemo a close
cousin to the much larger one announced by Hannaford on March 17. In the
Hannaford breach, malware installed on servers in each of the
Scarborough, Maine-based company's grocery stores intercepted card data
as the information was being transmitted from point-of-sale systems to
Hannaford said in a letter sent to Massachusetts officials last week
that up to 4.2 million credit and debit card numbers, as well as the
expiration dates of the affected cards, were stolen by the malware
program and then sent in batches to a server hosted by a foreign ISP.
The grocer added that the discovery of the mass malware installation
prompted a wholesale replacement of its store servers, plus other
unspecified steps aimed at ensuring "that no versions of the malware
remain anywhere on the company's systems."
And Hannaford and Okemo may not be the only businesses disclosing
breaches involving payment card data in transit between systems.
According to McPherson, law enforcement authorities who are
investigating the breach at Okemo told resort officials that they
currently are looking into about 50 reported incidents of the same sort
in the Northeast alone.
McPherson said the system intrusion was discovered in late February but
declined to comment on how the resort learned of it, citing the ongoing
investigation. She added that Okemo has taken steps to close the breach
and prevent further intrusions, but again didn't disclose any specific
In addition to notifying law enforcement officials, Okemo has informed
Visa, MasterCard and American Express of the breach. But the resort
doesn't have sufficient information on hand in its systems to directly
contact all of the individuals who might have been affected, McPherson
said. Resort officials have been told, she said, that customers will be
contacted directly by the banks that issued their credit and debit
Okemo doesn't know for sure how many cardholders were affected. But in
its advisory, the resort said that data from up to 28,168 card
transactions processed in February may have been compromised. Okemo
noted that the number of customers potentially affected may be smaller
than that number because some cards might have been used for multiple
transactions. In addition, data on 18,401 individual credit cards used
at Okemo from in early 2006 may have been accessed during the intrusion,
the resort said.
According to Okemo, a computer forensics review by an outside security
consultant found no evidence of any security breaches on the systems at
the Mount Sunapee ski area in Vermont or the Crested Butte Mountain
Resort in Colorado. All three ski areas are owned by the same company.
After Hannaford disclosed its breach, some analysts said it was the
first time that attackers had swiped payment card data while the
information was in transit on such a large scale. Most of the card data
compromises reported thus far have involved information stored in
databases on systems or in storage devices. But with companies putting
more effective controls around stored data, attackers may be shifting
their attention to data in transit.
Subscribe to InfoSec News