CIO Today HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR TUESDAY MARCH 28

Close Search Box
CIO Today
NETWORK SECURITY
Card Numbers Stolen During Authorization Process
Posted March 19, 2008
Card Numbers Stolen During Authorization Process
Next Story
EARLIER
Japanese ISPs To Block Online Pirates
THIS STORY
Card Numbers Stolen During Authorization Process
Next Story
LATER
Dangerous Flaws Reported in Safari for Windows
YOU ARE HERE:   HOME arrow NETWORK SECURITY arrow THIS STORY
NEWS OPS

By Peter Piazza. Updated March 19, 2008 7:39AM

SHARE

ALSO SEE

A large East Coast supermarket chain is the latest victim of a major data breach, with as many as four million credit- and debit-card numbers exposed. Hannaford Bros., based in Maine, announced the "containment of a data intrusion into its computer network" that resulted in the theft of data, but added that "no personal information, such as names and addresses, was accessed or obtained." The company said it is "aware of fewer than 2,000 cases of reported fraud related to this crime."

Hannaford operates 165 stores along the East Coast and, under the name of Sweetbay Supermarket, another 106 stores in Florida. The company is owned by the Delhaize Group of Brussels, Belgium. Also affected by the breach are an unknown number of independent retailers in the Northeast that sell Hannaford products.

According to a statement from Hannaford, "data was illegally accessed from Hannaford's computer systems during the card-authorization transmission process." A statement from Hannaford CEO Ron Hodge said that the stolen data "was limited to credit- and debit-card numbers and expiration dates," not names or addresses, and that the company "doesn't know or keep any personally identifiable information from customers."

Attacks on Data in Transit

"What showed up here was a new trend where criminals are going after data in transit, as opposed to data at rest. I think everybody was caught off-guard by that," Avivah Litan, a security analyst for Gartner, told us.

Payment Card Industry standards from credit-card issuers mandate that retailers take security measures such as protecting stored cardholder data and encrypting the transmission of data across open networks. Despite the breach, Litan said Hannaford could possibly have been in compliance with PCI standards.

"When you swipe a card, it should be encrypted immediately," she said, but often it's not until the data gets to the cash register that encryption happens; in other cases, the virtual private network carrying the data is encrypted but the data itself is not, meaning that anyone with the proper log-in credentials can see the data -- or trap data -- whenever a card is swiped.

"To be in compliance with PCI, you need to have strong access controls and encrypt the data in transit," Litan said. "But the auditors and the card companies have not been focused on those parts. They've been really focused on driving data from storage, but haven't yet focused on data in transit. So as they've removed data from storage, criminals are now going after data in transit. This will set all the card companies and assessors scrambling."

Long Timeline

The Massachusetts Bankers Association, contacted by credit-card issuers, alerted consumers on Monday that "a major retailer" had experienced a data breach that began on December 7, 2007, and wasn't contained until March 10. On the same day, Hannaford issued its statement, saying the company was "first made aware of suspicious card activity on February 27."

Hannaford advises customers to review bank and credit-card statements and contact lenders if there are concerns about unusual charges, and said it is working with law enforcement in a criminal investigation.

Hannaford's Web site has a customer advisory warning that "criminals take advantage of situations like this to try to obtain personal information like credit- and debit-card numbers, PINS and Social Security and driver's license numbers." It advised that it would not call or send e-mails to ask this kind of personal information, and asked anyone who received such a call or e-mail to report it to Hannaford. The company's dedicated customer assistance line is at 866-591-4580.

Tell Us What You Think
Comment:

Name:

MORE IN NETWORK SECURITY

Next Article >

INSIDE CIO TODAY NETWORK SITES SERVICES BENEFITS