It???s been widely reported today that the source of the recent massive credit card theft at the Hannaford and SweetBay grocery chains was a pervasively installed piece of malware. The finding was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick's Office of Consumer Affairs and Business Regulation. According to Hannaford's general counsel, the malware recorded the "track 2" data stored on the magnetic stripe of credit/debit cards as customers used them at the checkout counter. This magnetic stripe data includes the card's number and expiration date, but not the customer's name.
The data was taken "in transit for authorization from the point of sale," the letter states, meaning as it was transmitted from the cash register to one of the institutions that Hannaford uses to process transactions.
The disclosure also stated that the malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider.
According to Hannaford, not only is the company fully compliant with the PCI-DSS credit card protection standard, but it passed an audit as recently as late February! This is clearly a nightmare for the major credit card companies. There's already a perception that the standard itself is garbage, and news like this further validates that contention.
But I always approach these problems from a security admin perspective; so what can we learn from this?Randy George has covered a wide range of network infrastructure and information security topics in his 4 years as a regular InformationWeek and Network Computing contributor. He has 13 years of experience in enterprise IT, and has spent the last 8 years working as a ... View Full Bio