Hannaford tells regulators how breach happened

Share this article:
Hackers used sophisticated methods to evade detection and place malware on nearly 300 Hannaford Bros. store servers to intercept payment information during the transaction transmission process, the grocery chain told Massachusetts authorities.

As many as 4.2 million credit and debit card numbers, used in Hannaford's approximately 300 stores between Dec. 7 and March 10, may have been exposed in the attack. The company has said some 2,000 cases of fraud have already resulted.

In a letter delivered to Massachusetts Attorney General Martha Coakley and the Office of Consumer Affairs and Business Regulation, which was first reported on Friday by The Boston Globe, Hannaford told regulators that hackers planted malware, either remotely or in person, on servers.

The goal of the malware was to sniff for card numbers.

"All indications was that it was a novel and quite sophisticated attack," Carol Eleazer, vice president of marketing, told SCMagazineUS.com on Tuesday. "It was able to snatch debit and credit card numbers while they were in flight as part of the authorization process."

Hannaford was notified of irregular credit card activity on Feb. 27, ironically the same day Hannaford was recertified as being Payment Card Industry Data Security Standard-compliant.

"By virtue of the certification to the PCI standards, we believed we had the highest standards in the retail industry applying to our data security and we had several measures beyond that with detection and prevention capabilities," Eleazer said.

Brian Chess, chief scientist at application security vendor Fortify Software, said in a statement that a software flaw likely allowed the hackers to install the malicious software.

"My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers, then figured out that there was a vulnerability on some piece of code running on all of the machines," Chess said. "We see many organizations that are much more lax about internal systems."

Ted Julian, vice president of strategy and marketing at database security firm Application Security Inc., told SCMagazineUS.com on Tuesday that companies must concentrate on securing the data, not the conduits to that information.

"You need to know where sensitive data is," he said. "You don't have to worry about the 18 million ways to get there."

Eleazar said part of Hannaford's transaction authorization system was encrypted, while part was not. She added that the company does not store any customer data.

Hannaford plans on compensating victims "who may have experienced extraordinary out-of-pocket expenses" related to the breach, she said.

That burden falls to the card issuing banks, but Eleazer said Hannaford wants to do right by its customers.

"If there were extraordinary expenses that weren't reimbursed another way and if a customer was impacted, we would, on a case-by-case basis, determine an appropriate action that would align with our philosophy of treating customers fairly," she said.

In the meantime, a forensic examination is under way. Eleazer said she hopes the probe reveals information that would be useful to provide to other merchants trying to secure their customers' data.

"That's the socially responsible thing to do," she said. "We were attacked and we would like to prevent having anyone put their customers in the same position we find ourselves."
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.