Malware at Hannaford Raises More Questions About Data Security

Fraudsters planted so-called malware, or malicious software, on servers at about 300 supermarkets in or affiliated with the Hannaford Bros. Inc. supermarket chain and with it were able to steal credit and debit card data, according to a letter from a Hannaford attorney to Massachusetts officials. The thefts happened even though Hannaford at the time was compliant with the Payment Card Industry data-security standard, or PCI. Card numbers and expiration dates captured by the malware were batched and sent to an unidentified foreign Internet service provider. Scarborough, Maine-based Hannaford says it is aware of about 2,000 instances of fraud related to the hack, according to the Boston Globe. “There was malware, and it replicated itself onto servers,” Hannaford vice president of marketing Carol Eleazer tells Digital Transactions News. “We believe the malware was installed somewhere on or around Dec. 7th [2007] and was active through March 10th.” The breach involved all 165 Hannaford Bros. stores in New England and New York, 106 stores in Florida of corporate affiliate Sweetbay, and some independent grocery stores in the Northeast that carry Hannaford products. Hannaford became aware of the breach Feb. 27 but didn't disclose it until March 17 (Digital Transactions News, March 18). Hannaford was re-certified as meeting PCI's requirements only about a month before, making the breach the first publicly known instance of a PCI-compliant merchant being hacked. The intrusion also differs from earlier known breaches in that it involved the theft of data in transit during the authorization process, rather than in storage. Eleazer would not comment when asked if an insider, such as an employee or contractor familiar with Hannaford's systems, is suspected of involvement. The matter is under criminal investigation by the U.S. Secret Service and also is being investigated by Hannaford's technical staff and outside experts. More details of the crime emerged over the weekend through disclosure of a letter sent earlier in the week by Hannaford general counsel Emily D. Dickinson to Massachusetts Attorney General Martha Coakley and Daniel Crane, director of the Office of Consumer Affairs and Business Regulation. Crane had reminded Hannaford about a Massachusetts law requiring disclosure of data breaches affecting Massachusetts consumers. Hannaford and a spokesperson for the attorney general's office refused to divulge the letter, and a spokesperson for the Consumer Affairs office did not return a Digital Transactions News call. But contents of the letter apparently were leaked to some press outlets. The alarming factors about the Hannaford case are that PCI compliance is not a guarantee against intrusion by hackers, and that data that are transmitted unencrypted, as the Hannaford data apparently were, according to technology publication Computer World, can be intercepted, even if the time of unencrypted transmission is a mere fraction of a second. “You cannot build a fortress for a mag stripe that's in the open,” says electronic payments consultant Steve Mott, principal of Stamford, Conn.-based BetterBuyDesign. “[The Hannaford incident] just screams that we're not safe electronically anywhere.” Some thieves use a customized variant of malware that is very difficult to detect with most anti-virus and anti-spyware detection systems that look for known files or variants, Gartner Inc. analyst Avivah Litan, who tracks payment technology and security tells Digital Transactions News. “They are getting better and better at deploying malware that is not detected with standard detection systems,” she says. A growing number of vendors, including leading U.S. terminal maker VeriFone Holdings Inc. in partnership with Semtek Innovative Solutions Corp., are starting to offer systems that prevent sensitive cardholder data from ever getting into a retailer's computer system. New technology can encrypt the contents of the magnetic-stripe data the instant the card is swiped. But improvements can cost up to $200 per terminal, according to Litan. According to Computer World, the letter says Hannaford replaced all affected servers and hardware after discovering the malware. How the malware got onto all the servers is unknown, but it's possible the hackers installed it through one weak spot in the computer system, and from there it was able to replicate itself to the store servers.