Supermarket data breach still unsolved

The TJX breach is thought to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami — an entry point that eventually gave hackers undetected access to TJX's central databases for a year and a half.

For merchants to accept credit cards, they have to meet industry standards that credit card firms impose on merchants to protect data.

The standards are administered by the PCI Security Standards Council in Wakefield, Mass., and include making retailers maintain firewalls to protect data inside their computer systems, encrypt data when it travels across public networks, and generally restrict access to cardholder data.

The standards also require companies to track and monitor all access to cardholder data, restrict physical access to cardholder data and use and update antivirus software.

The standards are constantly being updated, said Bob Russo, general manager of PCI Security Standards Council.

"You have to think of this as an arms race," he said. "We have to stay out in front as much as we can."

Hannaford's transaction system was found to be in compliance with the standards as recently as last month, Eleazer said.

"And yet we were the victim of this attack. Which further proves that, regrettably, in the wired world in which we live, vulnerabilities inevitably exist," she said.

The U.S. Secret Service is investigating, and Hannaford continues to evaluate its technology infrastructure. None of the exposed data contained customers' names, addresses or phone numbers — just account numbers, Eleazer said.

Still, the problem is "testament to the fact that breaches have turned into a global epidemic," said Slavik Markovich, chief technology officer of Sentrigo Inc., a database security company based in Woburn, Mass.

"Overall, this type of attack, lasting several months and resulting in large-scale data theft and actual cases of fraud demonstrates once more that enterprises are being proactively targeted by organized crime," Markovich said in an e-mail. "Weak links anywhere in the data chain that leave the data vulnerable to theft are exploited."

MORE FROM SECURITY

Security Section Front

Pentagon: Insurgents intercepted spy videos Privacy watchdog files complaint against Facebook Ohio court: Cell phone searches require warrant Nearly 1 in 3 older teens gets ‘sexting’ messages Australia to block obscene, crime-linked sites After criticism, Facebook tweaks settings again Court reviews employer access to texts NYT: U.S., Russia open talks on cyberwar limits Red Tape: Holiday ‘cyberbegging’ grows on eBay Internet users lured to oppose health bills Security Section Front   Add Security headlines to your news reader: