Malware Blamed on Data Breach

Forum Moderators: buckworks

Message Too Old, No Replies

Malware Blamed on Data Breach

engine

9:27 am on Mar 30, 2008 (gmt 0)

A massive data breach at Hannaford Brothers Cos. was caused by a "new and sophisticated" method in which software was secretly installed on servers at every one of its grocery stores, the company told Massachusetts regulators this week.
The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.

Malware Blamed on Data Breach [boston.com]

mack

1:33 pm on Mar 30, 2008 (gmt 0)

WOW thats quite an exploit. Perhaps the internet isn't the correct way to transmit this kind of data in the future. VPN seams to be the only real way to have any control over the end recipient.

Mack.

tedster

2:31 pm on Mar 30, 2008 (gmt 0)

Malware was installed on the servers of all 300 og their stores from Maine through Florida - that sounds very much like an inside job. I'll bet that malware could be written to drill OUT for reporting even from a VPN.

jsinger

5:29 pm on Mar 30, 2008 (gmt 0)

How valuable are card numbers without the owners' names?

And why take perhaps 4 million of them from hundreds of stores? Cracking just one store for a week would provide thousands of numbers. Better yet, take a few scattered numbers from each of hundreds of stores. Who would figure that out?

mack

8:57 pm on Mar 30, 2008 (gmt 0)

And why take perhaps 4 million of them from hundreds of stores? Cracking just one store for a week would provide thousands of numbers.

Maybee this was more than fraud. Perhaps this was an attack at the company as a brand, more or less a loss of credability. Ex employee perhaps?

Pure speculation on my part.

Mack.

thecoalman

9:28 am on Mar 31, 2008 (gmt 0)

I saw a piece on 60 minutes, apparently a lot of stores, even the very large ones are very unsecure places to use a credit card. The story focused on them using an insecure protocol for wi-fi but where there's smoke there's fire.

[cbsnews.com...]

The retail industry got a wake-up call earlier this year, when TJX, the parent company of T.J. Maxx and Marshalls, disclosed it had suffered the worst high-tech heist in shopping history. Hackers raided the company's computer system, taking off with tens of millions of records. And what we have learned is: TJX could have prevented it.

SEOMike

3:53 pm on Mar 31, 2008 (gmt 0)

that sounds very much like an inside job.

That was my first impression too. However, would an insider go to all the trouble of attacking each store? And, would an insider actually commit fraud on this scale:

Hannaford said it knows of about 2,000 cases of fraud related to the intrusion.

ytswy

4:02 pm on Mar 31, 2008 (gmt 0)

How valuable are card numbers without the owners' names?

Is this actually checked? I know there's a box for it, but I've always got the impression that its more for show than anything.

jsinger

4:39 pm on Mar 31, 2008 (gmt 0)

We manually key online card info into our store system. We don't enter the shopper's name but we sometimes use it to match questionable online transactions. We do enter the numerical street address and the zip code. We are told by the terminal whether those match the cardholder info and we can elect to accept or reject the transaction.

One thing with supermarkets, many customers live in the same zip as the market. So ZIP could often be guessed.

Still... what good to a thief are these numbers alone? They wouldn't be likely to slip past our simple safeguards. This is more like an act of vengeance or extortion.