Hannaford Data Theft Was No Smash and Grab

Retailers, e-commerce developers and security vendors should be paying close attention to the data breach case unfolding around the Hannaford Brothers Cos. Unlike many data breaches in the past that fall into the “smash and grab” category, the Hannaford breach (which may affect 4.2 million credit and debit card numbers) appears to have been a well-orchestrated theft of real-time credit data moving across the network and apparently meeting most of the current security standards.

A front page article in the Friday, March 28 Boston Globe offers previously undisclosed details of the breach. This was no case of lost back-up tapes, unprotected laptops or a tap of unprotected wireless data.

According to a letter written by Hannaford’s general counsel Emily D. Dickinson and quoted in the Globe, an “illicit and unauthorized computer program known as ‘malware’ was installed on the servers of each of the stores the company operates in Maine, Vermont, New Hampshire, Massachusetts and New York, plus at stores elsewhere…” The letter goes on to state that the data was taken “in transit for authorization from the point of sale.” The company had been recertified as meeting credit card standards as recently as February 27, 2008.

Stealing data in transit is akin to hijacking a truck as it moves down the highway. You can do it, but it takes several levels of sophistication beyond a theft of a parked vehicle. So now, the IT security detectives will start back-tracking through the Hannaford network looking at access logs, server patches and network traffic.

In two weeks, San Francisco will host the big RSA security show. There will be lots of discussion about securing data, not devices and balancing the need for security with the desire for easily accessible, fast e-commerce transactions. I expect that breaches such as the one unfolding at Hannaford will push the development of system-wide security planning that includes end-to-end encryption based on a public key infrastructure.