Vermont ski area reports Hannaford-like theft of payment card data

Okemo says card info was stolen as cards were swiped, as in breach at grocery chain

In a security breach that sounds similar to the one disclosed by Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February.

Okemo said in a security advisory released on Monday that the breach may have affected customers who used their payment cards at the resort in Ludlow, Vt., between Feb. 7 and Feb. 22, the time frame when the intrusion took place. The intruder or intruders may also have accessed data from card transactions processed between January and March 2006, according to the advisory.

Bonnie MacPherson, a spokeswoman for Okemo, said today that at least some of the data appears to have been stolen as the recent payment card transactions were being authorized. "We can tell you that this was a real-time theft," McPherson said. "The information was being taken as the cards were being swiped."

If that is actually the case, it could make the breach at Okemo a close cousin to the much larger one announced by Hannaford on March 17. In the Hannaford breach, malware installed on servers in each of the Scarborough, Maine-based company's grocery stores intercepted card data as the information was being transmitted from point-of-sale systems to authorize transactions.

Hannaford said in a letter sent to Massachusetts officials last week that up to 4.2 million credit and debit card numbers, as well as the expiration dates of the affected cards, were stolen by the malware program and then sent in batches to a server hosted by a foreign ISP. The grocer added that the discovery of the mass malware installation prompted a wholesale replacement of its store servers, plus other unspecified steps aimed at ensuring "that no versions of the malware remain anywhere on the company's systems."

And Hannaford and Okemo may not be the only businesses disclosing breaches involving payment card data in transit between systems. According to McPherson, law enforcement authorities who are investigating the breach at Okemo told resort officials that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.

McPherson said the system intrusion was discovered in late February but declined to comment on how the resort learned of it, citing the ongoing investigation. She added that Okemo has taken steps to close the breach and prevent further intrusions, but again didn't disclose any specific details.

In addition to notifying law enforcement officials, Okemo has informed Visa, MasterCard and American Express of the breach. But the resort doesn't have sufficient information on hand in its systems to directly contact all of the individuals who might have been affected, McPherson said. Resort officials have been told, she said, that customers will be contacted directly by the banks that issued their credit and debit cards.

Courtesy of Okemo

Okemo doesn't know for sure how many cardholders were affected. But in its advisory, the resort said that data from up to 28,168 card transactions processed in February may have been compromised. Okemo noted that the number of customers potentially affected may be smaller than that number because some cards might have been used for multiple transactions. In addition, data on 18,401 individual credit cards used at Okemo from in early 2006 may have been accessed during the intrusion, the resort said.

According to Okemo, a computer forensics review by an outside security consultant found no evidence of any security breaches on the systems at the Mount Sunapee ski area in New Hampshire or the Crested Butte Mountain Resort in Colorado. All three ski areas are owned by the same company.

After Hannaford disclosed its breach, some analysts said it was the first time that attackers had swiped payment card data while the information was in transit on such a large scale. Most of the card data compromises reported thus far have involved information stored in databases on systems or in storage devices. But with companies putting more effective controls around stored data, attackers may be shifting their attention to data in transit.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon