Malware to blame in supermarket data breach

It turns out malware somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.

Citing a letter the Hannaford grocer sent to Massachusetts regulators, The Boston Globe on Friday reported that the malicious software intercepted data from customers as they paid with plastic at checkout counters and sent data overseas.

The malware was installed on computer servers at each of the 300-some stores operated by Hannaford and its partners, the Globe reported.

The company is continuing its investigation into how the malware may have been placed on the servers. The Secret Service, meanwhile is conducting its own investigation.

The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point of sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).

That mode contrasts to attacks on databases, the method used to compromise 45.7 million accounts over a two-year period in a data breach of customer records at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains.

Andrew Conry of InformationWeek adds that Hannaford, in addition to the breach, has two related class action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that "internal servers were transmitting outside the network to a strange IP. This should've raised flags somewhere--server logs, IDS logs, firewall logs."

I'll second Conry's conclusion: "In any case, the whole mess should be very instructional to retailers everywhere," particularly in light of Friday's news of attacks on top Web sites like USAToday.com, Target.com, ABCNews.com, Walmart.com, and of a data breach at Antioch University in Ohio.

[paulsecic]

Blogs CNET

Please use better fonts in blogs. Too hard to read.

[BtmnHatesRbn]

Should've used an *IX OS on those servers.

C'mon! How dumb can these IT dorks be at this supermarket
chain? What? They installed DOOM or Quake once and got it to
work on a Compaq Presario 5610 in 1998? Please.

Should've been using a flavor of Linux, OS X Server, FreeBSD or
even frickin' DOS 2000. Anything but a M$ OS that has now
created this mess with NSA-requested backdoors and security
holes.

Ugh!

[BenjaminWright]

PCI Law

Legally speaking, we can't expect the PCI to keep up with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html --Ben

[David M. Zendzian]

PCI & keeping up

They were not PCI compliant at the time of the hack. Section 5 states that:

[David M. Zendzian]

PCI & keeping up

They were not PCI compliant at the time of the hack. Section 5 states that:
Deploy anti-virus software on all systems commonly affected by viruses & ensure that anti-virus programs are capable of detecting, removing and protecting against other forms of malicious software including spyware & adware.

This means if they were infected with malware then they may not have had anti-virus or malware protection, or it wasn't up to date (5.2)

To my knowledge there has never been a compromise of PCI data from a fully compliant PCI company. They may have passed their audit last year, but PCI requires you to keep things up-to-date. There are daily, monthly, quarterly and yearly items that need to keep current.

PCI is not a once a year "check", but an on-going effort; just like any security initiative. You wouldn't install an alarm on your business but then leave the door open & alarm off when you go home at night would you?

David