Hannaford says malware planted on its store servers stole card data

Card numbers were sent overseas in batches; grocer has replaced all affected systems

Hannaford Bros. Co. disclosed this week that the intruders who stole up to 4.2 million credit and debit card numbers from the grocer's systems did so by planting malware programs on servers at each of its stores in New England, New York and Florida.

The malicious software was used to intercept the payment card data as the information was being transmitted from Hannaford's point-of-sale systems to authorize transactions, the company said in a letter sent to Massachusetts officials on Tuesday. The malware then forwarded the stolen card numbers as well as their expiration dates to an overseas destination, according to the letter, which was signed by Emily Dickinson, Hannaford's general counsel.

The discovery of the mass malware installation prompted a wholesale replacement of Hannaford's store servers. Dickinson's letter said that with help from the U.S. Secret Service and IT security vendors, the company has identified and replaced all of the affected hardware "and otherwise ensured that no versions of the malware remain anywhere on the company's systems."

The letter offered no explanation as to how the perpetrators might have gained access to each of the company's servers to plant the malicious code on them. Echoing separate comments by Hannaford officials, Dickinson wrote that the grocer was certified both last year and on Feb. 27 as being compliant with the Payment Card Industry Data Security Standard, or PCI.

The Hannaford breach, which the company disclosed on March 17, is among the first large-scale intrusions involving the interception of card data while it's in transit between systems, said Mike Paquette, chief strategy officer at Top Layer Networks, a vendor of intrusion-prevention systems in Westboro, Mass. Most of the compromises reported thus far have involved information stored in databases on systems or in storage devices, Paquette said.

Based on the information available so far, the initial intrusion into Hannaford's systems could have happened in several ways, Paquette added. One likely scenario, he said, is that the attackers took advantage of an undetected remotely exploitable vulnerability in one of the company's servers to gain a foothold on its network and then planted the malicious code on all of the store servers.

It's also possible that the perpetrators were able to break into Hannaford's servers because of overly permissive firewall rules or because the grocer's antivirus software failed, said Chris Andrew, vice president of security technology at software vendor Lumension Security Inc. in Scottsdale, Ariz.

Another possibility, Andrew said, is that someone — even an insider — could have had physical access to a server and planted the malicious code on it, then replicated the malware across the entire Hannaford environment. Many retailers use a standard software image on all of their servers, he said — so if one system has a security weakness, it's likely that the others would as well.

Paquette said that once the malware was on the servers, it could have used one of several methods to conceal its presence and surreptitiously send the intercepted card data to a remote system. "The command and control techniques that are used [by attackers] can be quite stealthy and would appear completely normal" to any monitoring technologies that Hannaford might have been using, he said.

But Andrew said that the grocer's network obviously wasn't locked down tight. "Clearly, there was a pathway back out of the network that Hannaford should have closed," he noted.

The PCI security rules require retailers and other merchants to encrypt sensitive data while it's being transmitted across open public networks that attackers could easily use to intercept and divert information. But in Hannaford's case, the intruders were able to intercept the data at a point where it obviously was unencrypted, Paquette said. That could have been when the details of card transactions were being routed through each server to record the sales, he added.

Dickinson's letter about the data breach was sent to the Massachusetts Attorney General's office and to the state's Office of Consumer Affairs and Business Regulation, apparently in response to a March 18 reminder notice that Daniel Crane, undersecretary of the consumer affairs office, sent to Hannaford CEO Ronald Hodge. Crane wrote that Massachusetts law requires companies to send information about breaches that affect state residents to his office and the attorney general.

Hannaford, which is based in Scarborough, Maine, has said that the card numbers were stolen between Dec. 7 and March 10, and that it learned of the breach after being made aware of suspicious credit card activity on Feb. 27.

The letter from Dickinson offered a few more details about the breach than the company had previously released. In addition to disclosing that the malware had been installed on all of Hannaford's store servers, Dickinson said it was designed to intercept the so-called Track 2 data that is stored in the magnetic stripe on the back of payment cards. The malware then batched the card numbers and expiration dates and "periodically transmitted the data to an offshore ISP," Dickinson wrote.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon