Mar 28, 2008 6:19 pm US/Eastern
Malware Used In Hannaford Data Breach
BOSTON (WBZ) ―
Unauthorized software that was secretly installed on servers in Hannaford Bros. supermarkets enabled the massive data breach that compromised up to 4.2 million credit and debit cards.
The Maine-based company confirmed that the software was secretly installed on computer servers inside every Hannaford Supermarket in New England and New York.
The company doesn't know how the malware -- short for malicious software -- got onto nearly all its 271 stores' servers.
In a letter to the Massachusetts Attorney General and Office of Consumer Affairs, Hannaford's general counsel said, "The malware batched the numbers and expiration dates as authorizations were received, and then periodically transmitted the data to an offshore Internet service provider."
A Hannaford spokeswoman says at least 1,800 cases of fraud have been linked to the data breach, with unauthorized charges showing up as far afield as Mexico, Italy and Bulgaria.
The breach has prompted concern in the industry because it appeared to be the first large-scale theft of credit and debit card numbers while the information was in transit.
The usual mode of attack targets data sitting in databases.
"For it to be installed, that's a significant amount of network traffic that should have been picked up by someone," said computer forensics expert Rob Fitzgerald said.
Fitzgerald, of the Lorenzi Group, said the data being lifted would have left a trail.
"Like opening a door and footprints in the snow," he said. "It has to leave a trail. There's no way for the information about that data to disappear."
It's believed the breach went on for months between Dec. 7, 2007 and March 10, 2008. Hannafords points out it was certified as compliant with standards set to protect information from being stolen. It didn't, for example, store customer data.
But Fitzgerald said this case shows how being compliant isn't enough.
"We're going to see more of this we believe, and we have to be ready for it," he said.
According to Hannaford's letter, the compromised hardware has been replaced.
If you think you were affected by the Hannaford's Security Breach, visit the state Office of Consumer Affairs and Business Regulation Web site.
Click
here for more information.
(© 2008 CBS Broadcasting Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)
