As many as 4.2 million credit and debit card numbers, used in Hannaford's approximately 300 stores between Dec. 7 and March 10, may have been exposed in the attack. The company has said some 2,000 cases of fraud have already resulted.
In a letter delivered to Massachusetts Attorney General Martha Coakley and the Office of Consumer Affairs and Business Regulation, which was first reported on Friday by The Boston Globe, Hannaford told regulators that hackers planted malware, either remotely or in person, on servers.
The goal of the malware was to sniff for card numbers.
"All indications was that it was a novel and quite sophisticatedattack," Carol Eleazer, vice president of marketing, toldSCMagazineUS.com on Tuesday. "It was able to snatch debit and credit card numbers while they were in flight as part of the authorization process."
Hannaford was notified of irregular credit card activity on Feb. 27, ironically the same day Hannaford was recertified as being Payment Card Industry Data Security Standard-compliant.
"By virtue of the certification to the PCI standards, we believed we had the highest standards in the retail industry applying to our data security and we had several measures beyond that with detection and prevention capabilities," Eleazer said.
Brian Chess, chief scientist at application security vendor Fortify Software, said in a statement that a software flaw likely allowed the hackers to install the malicious software.
"My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers, then figured out that there was a vulnerability on some piece of code running on all of the machines," Chess said. "We see many organizations that are much more lax about internal systems."
Ted Julian, vice president of strategy and marketing at database security firm Application Security Inc., told SCMagazineUS.com on Tuesday that companies must concentrate on securing the data, not the conduits to that information.
"You need to know where sensitive data is," he said. "You don't have to worry about the 18 million ways to get there."
Eleazar said part of Hannaford's transaction authorization system was encrypted, while part was not. She added that the company does not store any customer data.
Hannaford plans on compensating victims "who may have experienced extraordinary out-of-pocket expenses" related to the breach, she said.
That burden falls to the card issuing banks, but Eleazer said Hannaford wants to do right by its customers.
"If there were extraordinary expenses that weren't reimbursed another way and if a customer was impacted, we would, on a case-by-case basis, determine an appropriate action that would align with our philosophy of treating customers fairly," she said.
In the meantime, a forensic examination is under way. Eleazer said she hopes the probe reveals information that would be useful to provide to other merchants trying to secure their customers' data.
"That's the socially responsible thing to do," she said. "We were attacked and we would like to prevent having anyone put their customers in the same position we find ourselves."