Vermont ski area reports Hannaford-like theft of payment card data

Vermont ski area reports Hannaford-like theft of payment card data
Vermont ski area reports Hannaford-like theft of payment card data 

By Jaikumar Vijayan
April 2, 2008 

In a security breach that sounds similar to the one disclosed by 
Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in 
Vermont announced this week that data from more than 46,000 credit and 
debit card transactions may have been compromised during a system 
intrusion over a 16-day period in February.

Okemo said in a security advisory released on Monday that the breach may 
have affected customers who used their payment cards at the resort in 
Ludlow, Vt., between Feb. 7 and Feb. 22, the time frame when the 
intrusion took place. The intruder or intruders may also have accessed 
data from card transactions processed between January and March 2006, 
according to the advisory.

Bonnie MacPherson, a spokeswoman for Okemo, said today that at least 
some of the data appears to have been stolen as the recent payment card 
transactions were being authorized. "We can tell you that this was a 
real-time theft," McPherson said. "The information was being taken as 
the cards were being swiped."

If that is actually the case, it could make the breach at Okemo a close 
cousin to the much larger one announced by Hannaford on March 17. In the 
Hannaford breach, malware installed on servers in each of the 
Scarborough, Maine-based company's grocery stores intercepted card data 
as the information was being transmitted from point-of-sale systems to 
authorize transactions.

Hannaford said in a letter sent to Massachusetts officials last week 
that up to 4.2 million credit and debit card numbers, as well as the 
expiration dates of the affected cards, were stolen by the malware 
program and then sent in batches to a server hosted by a foreign ISP. 
The grocer added that the discovery of the mass malware installation 
prompted a wholesale replacement of its store servers, plus other 
unspecified steps aimed at ensuring "that no versions of the malware 
remain anywhere on the company's systems."

And Hannaford and Okemo may not be the only businesses disclosing 
breaches involving payment card data in transit between systems. 
According to McPherson, law enforcement authorities who are 
investigating the breach at Okemo told resort officials that they 
currently are looking into about 50 reported incidents of the same sort 
in the Northeast alone.

McPherson said the system intrusion was discovered in late February but 
declined to comment on how the resort learned of it, citing the ongoing 
investigation. She added that Okemo has taken steps to close the breach 
and prevent further intrusions, but again didn't disclose any specific 

In addition to notifying law enforcement officials, Okemo has informed 
Visa, MasterCard and American Express of the breach. But the resort 
doesn't have sufficient information on hand in its systems to directly 
contact all of the individuals who might have been affected, McPherson 
said. Resort officials have been told, she said, that customers will be 
contacted directly by the banks that issued their credit and debit 

Okemo doesn't know for sure how many cardholders were affected. But in 
its advisory, the resort said that data from up to 28,168 card 
transactions processed in February may have been compromised. Okemo 
noted that the number of customers potentially affected may be smaller 
than that number because some cards might have been used for multiple 
transactions. In addition, data on 18,401 individual credit cards used 
at Okemo from in early 2006 may have been accessed during the intrusion, 
the resort said.

According to Okemo, a computer forensics review by an outside security 
consultant found no evidence of any security breaches on the systems at 
the Mount Sunapee ski area in Vermont or the Crested Butte Mountain 
Resort in Colorado. All three ski areas are owned by the same company.

After Hannaford disclosed its breach, some analysts said it was the 
first time that attackers had swiped payment card data while the 
information was in transit on such a large scale. Most of the card data 
compromises reported thus far have involved information stored in 
databases on systems or in storage devices. But with companies putting 
more effective controls around stored data, attackers may be shifting 
their attention to data in transit.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods