More on Hannaford's Data Breach

Friday, March 28, 2008

Looks like it was "unsecured" software (a Trojan or malware) installed in Hannaford's servers that was to blame for the massive data breach that affected me and millions of other shoppers.

Hannaford Bros. Co. says unauthorized software that was installed on servers in nearly all of its supermarkets caused the massive data breach that compromised up to 4.2 million credit and data cards. The grocer confirmed a report in the Boston Globe that it told Massachusetts regulators this week about the link to an illicit computer program known as "malware."

Hannaford spokeswoman Carol Eleazer said the company doesn't know if the malware -- industry shorthand for malicious software -- was downloaded to the servers or installed by some other means.

The company has said that the data theft, which occurred between Dec. 7 and March 10, took place as shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.


This is very, very chilling. Of course, we all know that the electronic voting machines can be easily hacked this same way (one guy even demonstrated it for a YouTube video).

This data breach wasn't a "slip up." It was intentional theft. You'd think everyone would be up in arms, racing to secure everything (especially banks). Nope.

There's a good editorial here that is very informative. It's better than those lame news stories, for sure. Here's a tidbit:

Hannaford Bros. says it has secured its credit and debit card transaction system to block future unauthorized access and the Secret Service is investigating. So far, 1,800 cases of fraud are linked to the breach.

Kevin Mandia, president of Alexandria, Va.-based computer security firm Mandiant Corp., said retailers are most vulnerable during the processing of the credit or debit transaction. Hackers can create a type of software called a "sniffer" that acts like a wiretap and can intercept credit and debit card data as it travels between the retailer's point of sale and the credit card processing company. It can be very difficult to detect sniffers.

While the banks appear all but ready to blame Hannaford for failing to follow payment card industry standards on security, there are signs that this may be the first of many cases to surface this year wherein the affected retailer was hacked even though it appeared to be following all of the security rules laid out by the credit card associations.

..."I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

It gets better. Or, rather, worse.

2 remarks
Amanda said...

This IS scary! Just another reason I prefer to avoid the card-swipey machines and use cash whenever possible. If not, using a credit card and NOT my bank card.

5:09 PM  

It is SUCH a hassle to use cash. EVERYTHING in our society is so geared toward the plastic cards. I hate it. I prefer cash. But it is a hassle. My local bank is about 3 miles (and 20 minutes through heavy traffic) away. :-p

5:54 PM  

Post a Comment

Post a Comment

Design by Carl.