Malware at Hannaford Leads to Data Theft & Credit Card Compromises

Maine-based Hannaford Bros., Scarborough, confirmed via a Boston Globe report on March 28, 2008 that some malware were planted on the servers of the 271-store chain that led to loss of data and consequently compromise about 4.2 Million credit and debit card accounts, as reported by Technewsworld on March 28, 2008.

In a correspondence to Massachusetts' officials on March 18, 2008, the company said that the malicious code was applied to intercept data on payment cards as Hannaford's point-of-sale systems transmitted the information to authorize shoppers' transactions. While this happened, the malware sent the stolen card details along with their dates of expiry to a foreign destination, the letter revealed. The letter carried the signature of Hannaford's General Counsel, Emily Dickinson.

Following the realization of the mass installation of the malicious software, Hannaford promptly carried out a total replacement of its store servers. Dickinson's letter stated that with the help of IT security vendors and the US Secret Service, the company was able to identify all the infected hardware, which it replaced and also ensured that the malware didn't remain in any form anywhere on its network.

Carol Eleazer, Spokeswoman, Hannaford, said that the company didn't have any idea as to how the malicious software entered the servers of the store, as reported by Associated Press on March 29, 2008.

Meanwhile, security experts have been trying to determine how thieves moved the massive database out of the network of Hannaford, as the company has been adhering to the rules of the PCI (Payment Card Industry). The experts warn that if the systems of the east coast stores were vulnerable then many of the other retailers might also be exposed to the attack.

According to Eleazer, the malware was found to appear in all Hannaford stores in New York and New England and in the majority of the retailer's affiliated Sweetbay stores in Florida.

The company said that the data breach occurred during December 7 to March 10 when customers swiped their credit cards in the checkout machines and all the details were being transmitted to the respective banks.

Related article: Malware Authors Turn More Insidious

» SPAMfighter News - 4/9/2008