Geplaatst: 4 apr 2008 14:20 - Gewijzigd: 4 apr 2008 14:20

Hannaford’s breach is a warning for your PC

WASHINGTON - The surprising attack on a supermarket’s network shows the importance of sweeping for malware.

It started with a single piece of malware on a single machine. But that malicious software was then forwarded to some 300 computer servers for the Hannaford supermarket chain. With that, the credit-card information of millions of people, primarily from New England and Florida, was set upon by thieves.

It was particularly disturbing that this piece of malware enabled hackers to steal someone’s credit-card number while it was in transit. The thieves could access data from the moment customers swiped their card at the checkout, as the data made its way to the grocers’ database. In most data-theft cases, credit-card numbers are stolen from massive databanks that have been hacked.

Hannaford had been certified as meeting PCI (Payment Card Industry) data-protection standards in February 2007. In a letter from Hannaford to government officials in Massachusetts, the company explained that the malware intercepted the data stored on the magnetic strip of a payment card. When someone paid with plastic, the card’s number and expiration date made their way to the hackers.

The Boston Globe’s Ross Kerber, who broke the story, reported that information security experts were somewhat flummoxed by this novel and frightening approach to data theft. It demonstrates the skill and persistence of hackers, who continually uncover the weakest links in computer networks.

„In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data -sometimes in violation of payment industry standards- at central locations in their computer networks”, the Globe wrote.

Hannaford, however, says it does not hold on to such personal information - a precaution it hoped would protect its customers from large-scale breaches. But the thieves nabbed the data at a point in the transaction process that neither stores nor banks are responsible for safeguarding under the PCI standards. It’s a strange loophole in the industry regulations that many sides are now working to plug. (The Christian Science Monitor)