4 million credit card records stolen from US grocery retailer

Between 7th December 2007 and 10th March this year, around 4 million credit card numbers were stolen from US grocery chain Hannaford Bros.. According to US media reports, the criminals behind the data theft installed spy software on the company’s servers in New England, New York and Florida.

The malware reportedly grabbed credit card details when payment details were transferred from point of sale devices at the company’s branches to the company’s servers in order to authorise transactions. The stolen credit card numbers and expiry dates were then transferred to overseas servers.

After discovering the intrusion, the grocery retailer is reported to have replaced the majority of its servers. The company reports that, with the assistance of US secret services and IT security companies, it has identified and replaced the affected servers and ensured that the malware is no longer present on any company systems.

Hannaford Bros. was certified as meeting the Payment Card Industry Data Security Standard (PCI-DSS) in February last year. The standard is intended to certify data security during financial transactions by specifying safeguards including encrypted transmission of transaction data. The method used in this theft is unusual in that the criminals grabbed data while it was being transferred between systems. Previously credit card data has been obtained from databases.

It is not clear how the malware was placed on the servers. Speculations include an unpatched security vulnerability in the server software, a lax firewall configuration or failure of anti-virus software. Some security experts are also refusing to rule out the possibility that the software may have been installed by an insider.

See also:

• A Message from Hannaford President and CEO Ron Hodge, announcement to customers by Hannaford Bros.

(mba)