Hannaford Data Breach Blamed On Malware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
4/1/2008
03:43 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Hannaford Data Breach Blamed On Malware

The grocer said the data breach involved malicious software that was found on computer servers at about 300 of the company's stores.

The theft of an estimated 4.2 million credit and debit card numbers from Hannaford Bros. grocery stores in the New England area appears to be the result of malware.

In a letter cited by The Boston Globe from Hannaford Bros. to Massachusetts Attorney General Martha Coakley and the state's Office of Consumer Affairs and Business Regulation, the company said that the data breach it disclosed on March 17 involved malicious software that was found on computer servers at about 300 of the company's stores.

The software reportedly intercepted credit card data during checkout and sent captured information overseas, according to the letter.

Carol Eleazer, VP of marketing for Hannaford Bros., confirmed that a letter had been sent to the Massachusetts attorney general and that the facts reported were essentially accurate. She noted that the fix deployed involved software, and not the replacement of hardware. "It was a software problem and it took a software fix," she said.

Eleazer had no further information to provide about the incident, citing ongoing law enforcement and internal forensic investigations.

The breach occurred between Dec. 7 and March 10. Hannaford Bros. said it detected the breach on Feb. 27.

Coakley last month urged consumers who made a purchase at Hannaford stores during this period to watch out for unauthorized use of their credit or debit card numbers and to take steps to safeguard their personal information.

While Hannaford has acknowledged that up to 4.2 million credit and debit card numbers were compromised, it said there's no evidence to indicate that cardholder names and addresses were stolen. The company has said it continues to investigate the incident. The Secret Service is conducting its own investigation.

"In this case, it looks like the hackers exploited the weakest link," said Chris Andrew, VP of security technology at Lumension, a security management company.

Slavik Markovich, CTO of database security company Sentrigo, observes that the attack is unusual in that the thieves attacked the endpoints of the network, rather than accessing the endpoints to reach a central data repository. He said he believes the attack was specially crafted to affect Hannaford's systems.

In its letter, according to The Boston Globe, Hannaford said it had been certified in February to be compliant with the Payment Card Industry security standard, known as PCI.

But Lumension's Andrew cautioned that PCI standards are just guidelines that are open to interpretation. He said stores still need to invest in their own security programs. "Retail is a sector which is not known for high-security in particular," he said. "It's not military networks, it's not banks."

Maybe it should be. Fred Pinkett, VP of product management at security auditing company Core Security Technologies, expects that the retail industry will be targeted with similar attacks in the future. "It's where the money is," he said. "The security landscape has shifted from people trying to make a name for themselves to people trying to keep hidden. You definitely will see more attacks."

Pinkett argues that penetration testing is critical. "We would suggest that companies have a good penetration regime in place so they can find the vulnerabilities in their systems before the hackers do," he said.

Sentrigo's Markovich advised that companies hoping to avoid a similar fate use standard tools to encrypt all of their network traffic, rather than select traffic, as Hannaford reportedly did. He also suggested using activity-monitoring systems on the network and database, in conjunction with periodic network and endpoint audits.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll