Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Malware Brought Hannaford Down!

It???s been widely reported today that the source of the recent massive credit card theft at the Hannaford and SweetBay grocery chains was a pervasively installed piece of malware.
The finding was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick's Office of Consumer Affairs and Business Regulation.
According to Hannaford's general counsel, the malware recorded the "track 2" data stored on the magnetic stripe of credit/debit cards as customers used them at the checkout counter. This magnetic stripe data includes the card's number and expiration date, but not the customer's name.

The data was taken "in transit for authorization from the point of sale," the letter states, meaning as it was transmitted from the cash register to one of the institutions that Hannaford uses to process transactions.

The disclosure also stated that the malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider.

According to Hannaford, not only is the company fully compliant with the PCI-DSS credit card protection standard, but it passed an audit as recently as late February! This is clearly a nightmare for the major credit card companies. There's already a perception that the standard itself is garbage, and news like this further validates that contention.

But I always approach these problems from a security admin perspective; so what can we learn from this?

  • 1