Hannaford Data Breach Blamed On Malware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:43 PM
Connect Directly

Hannaford Data Breach Blamed On Malware

The grocer said the data breach involved malicious software that was found on computer servers at about 300 of the company's stores.

The theft of an estimated 4.2 million credit and debit card numbers from Hannaford Bros. grocery stores in the New England area appears to be the result of malware.

In a letter cited by The Boston Globe from Hannaford Bros. to Massachusetts Attorney General Martha Coakley and the state's Office of Consumer Affairs and Business Regulation, the company said that the data breach it disclosed on March 17 involved malicious software that was found on computer servers at about 300 of the company's stores.

The software reportedly intercepted credit card data during checkout and sent captured information overseas, according to the letter.

Carol Eleazer, VP of marketing for Hannaford Bros., confirmed that a letter had been sent to the Massachusetts attorney general and that the facts reported were essentially accurate. She noted that the fix deployed involved software, and not the replacement of hardware. "It was a software problem and it took a software fix," she said.

Eleazer had no further information to provide about the incident, citing ongoing law enforcement and internal forensic investigations.

The breach occurred between Dec. 7 and March 10. Hannaford Bros. said it detected the breach on Feb. 27.

Coakley last month urged consumers who made a purchase at Hannaford stores during this period to watch out for unauthorized use of their credit or debit card numbers and to take steps to safeguard their personal information.

While Hannaford has acknowledged that up to 4.2 million credit and debit card numbers were compromised, it said there's no evidence to indicate that cardholder names and addresses were stolen. The company has said it continues to investigate the incident. The Secret Service is conducting its own investigation.

"In this case, it looks like the hackers exploited the weakest link," said Chris Andrew, VP of security technology at Lumension, a security management company.

Slavik Markovich, CTO of database security company Sentrigo, observes that the attack is unusual in that the thieves attacked the endpoints of the network, rather than accessing the endpoints to reach a central data repository. He said he believes the attack was specially crafted to affect Hannaford's systems.

In its letter, according to The Boston Globe, Hannaford said it had been certified in February to be compliant with the Payment Card Industry security standard, known as PCI.

But Lumension's Andrew cautioned that PCI standards are just guidelines that are open to interpretation. He said stores still need to invest in their own security programs. "Retail is a sector which is not known for high-security in particular," he said. "It's not military networks, it's not banks."

Maybe it should be. Fred Pinkett, VP of product management at security auditing company Core Security Technologies, expects that the retail industry will be targeted with similar attacks in the future. "It's where the money is," he said. "The security landscape has shifted from people trying to make a name for themselves to people trying to keep hidden. You definitely will see more attacks."

Pinkett argues that penetration testing is critical. "We would suggest that companies have a good penetration regime in place so they can find the vulnerabilities in their systems before the hackers do," he said.

Sentrigo's Markovich advised that companies hoping to avoid a similar fate use standard tools to encrypt all of their network traffic, rather than select traffic, as Hannaford reportedly did. He also suggested using activity-monitoring systems on the network and database, in conjunction with periodic network and endpoint audits.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll