Malware to blame in supermarket data breach
Posted by Michelle Meyers |
It turns out malware had somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.
Hannford logo
Citing a letter the Hannaford grocer sent to Massachusetts regulators, The Boston Globe on Friday reported the malicious software intercepted data from customers as they paid with plastic at checkout counters and sent data overseas.
The malware was installed on computer servers at each of the 300-some stores operated by Hannaford and its partners, the Globe reported.
The company is continuing its investigation into how the malware may have placed on the servers. The Secret Service, meanwhile is conducting its own investigation.
The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point-of-sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).
That mode is in contrast to attacks on databases, the method used to compromise 45.7 million accounts over a two-year period in a data breach of customer records at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains.
InformationWeek's Andrew Conry adds that Hannaford, in addition to the breach, as two related class-action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that "internal servers were transmitting outside the network to a strange IP. This should've raised flags somewhere--server logs, IDS logs, firewall logs."
I'll second Conry's conclusion: "In any case, the whole mess should be very instructional to retailers everywhere," particularly in light of Friday's news of attacks on top Web sites like USAToday.com, Target.com, ABCNews.com, Walmart.com, and of a data breach at Antioch University in Ohio.
Posted by Michelle Meyers |
It turns out malware had somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.
Hannford logo
Citing a letter the Hannaford grocer sent to Massachusetts regulators, The Boston Globe on Friday reported the malicious software intercepted data from customers as they paid with plastic at checkout counters and sent data overseas.
The malware was installed on computer servers at each of the 300-some stores operated by Hannaford and its partners, the Globe reported.
The company is continuing its investigation into how the malware may have placed on the servers. The Secret Service, meanwhile is conducting its own investigation.
The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point-of-sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).
That mode is in contrast to attacks on databases, the method used to compromise 45.7 million accounts over a two-year period in a data breach of customer records at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains.
InformationWeek's Andrew Conry adds that Hannaford, in addition to the breach, as two related class-action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that "internal servers were transmitting outside the network to a strange IP. This should've raised flags somewhere--server logs, IDS logs, firewall logs."
I'll second Conry's conclusion: "In any case, the whole mess should be very instructional to retailers everywhere," particularly in light of Friday's news of attacks on top Web sites like USAToday.com, Target.com, ABCNews.com, Walmart.com, and of a data breach at Antioch University in Ohio.
