March 29, 2008 10:53 AM PDT

Malware to blame in supermarket data breach

Posted by Michelle Meyers

It turns out malware somehow found its way onto a Maine-based supermarket chain's servers, which led to the security breach announced earlier this month compromising up to 4.2 million credit cards.

Citing a letter the Hannaford grocer sent to Massachusetts regulators, The Boston Globe on Friday reported that the malicious software intercepted data from customers as they paid with plastic at checkout counters and sent data overseas.

The malware was installed on computer servers at each of the 300-some stores operated by Hannaford and its partners, the Globe reported.

The company is continuing its investigation into how the malware may have been placed on the servers. The Secret Service, meanwhile is conducting its own investigation.

The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point of sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).

That mode contrasts to attacks on databases, the method used to compromise 45.7 million accounts over a two-year period in a data breach of customer records at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains.

Andrew Conry of InformationWeek adds that Hannaford, in addition to the breach, has two related class action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that "internal servers were transmitting outside the network to a strange IP. This should've raised flags somewhere--server logs, IDS logs, firewall logs."

I'll second Conry's conclusion: "In any case, the whole mess should be very instructional to retailers everywhere," particularly in light of Friday's news of attacks on top Web sites like USAToday.com, Target.com, ABCNews.com, Walmart.com, and of a data breach at Antioch University in Ohio.