Malware Cited as the Cause of Massive Supermarket Data Breach

By Hozaifa Cassubhai

A massive data breach at an East coast supermarket chain compromised up to 4.2 million credit and debit cards earlier in March, leading to 1,800 cases of fraud arising as far away as Mexico, Italy and Bulgaria.  Recently, the Hannaford Bros. grocery chain announced the cause of that breach:  unauthorized software secretly installed on servers that intercepted data from customers as they paid with plastic at checkout counters.

While the precise source of the malicious software remains under investigation, the Scarborough, Maine-based grocer confirmed that Massachusetts regulators had been informed of the link between the breach and the malware, which polluted nearly all of the company’s 271 stores’ servers.  The U.S. Secret Service has confirmed that it is helping investigate the crime, although the scope of its involvement is unclear. The Hannaford breach is unique to the extent that credit card numbers were stolen while the information was in transit, or at the point of sale.  This represents a new more sophisticated line of attack, exposing the vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research. The method contrasts with the usual mode of attack, which targets data sitting in databases, as was the ca se in the record-setting theft of information from Massachusetts-based TJX Cos in 2005 and 2006.  That breach compromised 45.7 million accounts of customers of T.J. Maxx and Marshalls stores and now forms the basis of a pending federal consumer lawsuit in Boston. Hannaford states that its breach occurred between Dec. 7, 2007 and March 10, 2008, but notes that while the breach was ongoing, the company was found to be in compliance with the relevant industry security standards.  “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement on March 17.  “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”