Hannaford breach raises new fears

By Clarke Canfield and Brian Bergstein

updated 6:45 p.m. ET March 20, 2008

PORTLAND, Maine - At first, it sounded like another in a long line of credit card breaches: Up to 4.2 million account numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain.

But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards.

For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit.

"Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway.

Another intriguing facet is that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies.

The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security. Already the PCI standards have been tightened in recent years, after such massive data breaches as the one in 2005 at CardSystems Solutions Inc., a payment processor.

David Navetta, president of InfoSecCompliance LLC, a Denver law firm that concentrates on computer security and regulatory compliance, argues that Hannaford and its assessor may have been tripped up by ambiguity in the PCI standards about when companies must encrypt payment data to cloak it from outsiders.

Print this Email this Blog this  IM this

MORE FROM SECURITY

Security Section Front

Perils of the pocket call Hackers try to spur epileptic seizures Panel chair offers network neutrality bill Facebook, states set predator safeguards Yahoo search to alert users to bad Web sites Bad idea? Posting all Italians' incomes on Web Government Web site posts Italian incomes Criminals try to 'copyright' malware A faster, cheaper way to catch criminals Israeli military enlists robotic soldier Security Section Front   Add Security headlines to your news reader: