Hannaford Data Breach Blamed On Malware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:43 PM
Connect Directly

Hannaford Data Breach Blamed On Malware

The grocer said the data breach involved malicious software that was found on computer servers at about 300 of the company's stores.

The theft of an estimated 4.2 million credit and debit card numbers from Hannaford Bros. grocery stores in the New England area appears to be the result of malware.

In a letter cited by The Boston Globe from Hannaford Bros. to Massachusetts Attorney General Martha Coakley and the state's Office of Consumer Affairs and Business Regulation, the company said that the data breach it disclosed on March 17 involved malicious software that was found on computer servers at about 300 of the company's stores.

The software reportedly intercepted credit card data during checkout and sent captured information overseas, according to the letter.

Carol Eleazer, VP of marketing for Hannaford Bros., confirmed that a letter had been sent to the Massachusetts attorney general and that the facts reported were essentially accurate. She noted that the fix deployed involved software, and not the replacement of hardware. "It was a software problem and it took a software fix," she said.

Eleazer had no further information to provide about the incident, citing ongoing law enforcement and internal forensic investigations.

The breach occurred between Dec. 7 and March 10. Hannaford Bros. said it detected the breach on Feb. 27.

Coakley last month urged consumers who made a purchase at Hannaford stores during this period to watch out for unauthorized use of their credit or debit card numbers and to take steps to safeguard their personal information.

While Hannaford has acknowledged that up to 4.2 million credit and debit card numbers were compromised, it said there's no evidence to indicate that cardholder names and addresses were stolen. The company has said it continues to investigate the incident. The Secret Service is conducting its own investigation.

"In this case, it looks like the hackers exploited the weakest link," said Chris Andrew, VP of security technology at Lumension, a security management company.

Slavik Markovich, CTO of database security company Sentrigo, observes that the attack is unusual in that the thieves attacked the endpoints of the network, rather than accessing the endpoints to reach a central data repository. He said he believes the attack was specially crafted to affect Hannaford's systems.

In its letter, according to The Boston Globe, Hannaford said it had been certified in February to be compliant with the Payment Card Industry security standard, known as PCI.

But Lumension's Andrew cautioned that PCI standards are just guidelines that are open to interpretation. He said stores still need to invest in their own security programs. "Retail is a sector which is not known for high-security in particular," he said. "It's not military networks, it's not banks."

Maybe it should be. Fred Pinkett, VP of product management at security auditing company Core Security Technologies, expects that the retail industry will be targeted with similar attacks in the future. "It's where the money is," he said. "The security landscape has shifted from people trying to make a name for themselves to people trying to keep hidden. You definitely will see more attacks."

Pinkett argues that penetration testing is critical. "We would suggest that companies have a good penetration regime in place so they can find the vulnerabilities in their systems before the hackers do," he said.

Sentrigo's Markovich advised that companies hoping to avoid a similar fate use standard tools to encrypt all of their network traffic, rather than select traffic, as Hannaford reportedly did. He also suggested using activity-monitoring systems on the network and database, in conjunction with periodic network and endpoint audits.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll