Hannaford Credit Card Theft Caused By Malware, Not Database Breach

Most corporate credit card data theft happens at the database level, like the massive T.J. Maxx breach. But Hannaford has notified investigators that the recent theft of 4.2 million accounts was caused by malware that was installed on the servers at each of its 300 locations. The software “intercepted data from customers as they paid with plastic at checkout counters and sent data overseas,” reports CNET.

The breach appears to be one of the first in which credit card numbers were stolen while the information was in transit, or at the point of sale. One of a growing number of sophisticated attacks, it illustrates vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research (PDF).
Andrew Conry of InformationWeek adds that Hannaford, in addition to the breach, has two related class action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that “internal servers were transmitting outside the network to a strange IP. This should’ve raised flags somewhere–server logs, IDS logs, firewall logs.”

“Malware to blame in supermarket data breach” [Cnet]

“4.2 Million Credit Cards Exposed In Hannaford Supermarket Security Breach”
(Photo: AP/Pat Wellenbach)


Edit Your Comment

  1. uberbucket says:

    Network security is for wimps.

  2. boomerang86 says:

    My credit union mysteriously sent me a replacement Visa debit card last week… when I called to inquire they told me that my card number was comprimised in this data breach!

    I ALWAYS use my PIN with debit transactions; no money was pilfered from my accounts (so far).

  3. ivanthemute says:

    So, how the hell did the malware get on the servers to begin with? Was someone surfing porn, was it installed, what?

  4. danno99 says:

    My bank called me and stated that someone attempted to put a $1.00 charge on my card. They said that often times the ‘bad guys’ will try to put a small charge on your card and if it’s accepted, then they go to town with it and start charging the big ticket items. We cancelled that card immediately and I was sent a replacement. I am (was) a regular shopper at Hannaford.

  5. ghnvt says:

    @danno99: Usually they try to buy a song on iTunes or something like that.

  6. tedyc03 says:


  7. framitz says:

    Information stolen via a malware installation is still a BREACH and even more serious because there is no excuse for it.

  8. ClayS says:

    I would say that the company that owns the systems that were breached should be liable for all losses by their customers.

  9. Me - now with more humidity says:

    That’s what you get for buying servers at Best Buy…

    (oh come on, it’s a joke)

  10. Chris: Legally speaking, we can’t expect the PCI (payment card industry data security standard applicable to merchants) to keep pace with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. Credit card design must change. –Ben

  11. Just checked my Capitol One activity. Whew. Fortunately, I only use that card a couple times a month (usually) and pay in full. Any weird stuff would stand out like a turd in a punchbowl.

  12. Balisong says:

    @danno99: Cancelling a card over an exact $1 charge was going waaayyyy overboard. There are many companies that will put a dollar charge on your account for verification reasons and such. The charge will later be removed. If it was an odd number like, say, something like $1.32, that would be a problem. But really people, don’t close your accounts over $1 charges :

  13. azrael1o says:

    I went to Vermont for vacation, received a $200 speeding ticket in New York and had my CC data stolen because I shopped at Hannafords…I will never shop there again…maybe I just won’t go up to Vermont ever again…

  14. uberbucket says:

    Why do retailers keep credit card info on customers for so long especially at a grocery store?

    Maybe I’m missing something.

  15. StevePJobs says:

    Better stay away from the new VIStA cards…

  16. ScooperJay says:


    It’s Malware on the POS. The information was intercepted the at the point of input (checkout register).

    An example would be keylogger software. All input information (i.e. card scan) is captured and transmitted, in this case, overseas.

    PCI compliance requires that the POS computer be under lock and key.

    Doe anyone know who the PCI auditor is (hehe was) for Hannaford?

  17. armour says:

    lets call a spade a spade it’s a breach !!! it dosn’t matter where it happes with in the network it’s a breach plain and simple. Thay are just playing semantics saying it wasn’t a databse breach you think the customers really give a care ? they only care that thy entrusted thier information with some one and it was lost.

    The people that run that network should have thier asses handed to them along with thier pink slips!!!!

  18. LTS! says:

    I won’t go into details because I can’t but sometimes the people who run the networks are not to blame for the problems that occur.

    Sometimes it’s because the executive leadership refuses to purchase the resources required to achieve any reasonable network security.

    Let’s just say in this instance that Hannaford should strung up for being extraordinarily ignorant in their business operations. Pointing fingers inside the organization is a bit misleading.

  19. Mr. Gunn says:

    They should have noticed that the server was communicating with a strange IP.

    What they actually should have noticed was an entry in the log that communication with a foreign IP was detected and blocked, and they should have noticed the HUGE RED FLASHING SIREN that such activity should have set off.

    Security is hard, but this kind of stuff is the relatively easy part.

  20. FLConsumer says:

    Malware? Holy shit! You mean they use Windows there?

  21. parad0x360 says:

    Malware my ass. They know damn well we will never find out what really happened so why not take the easy route and blame the incredibly wide scoped malware term? Bull****

  22. Buran says:

    @Balisong: It wasn’t overboard at all. Why keep your account open knowing that someone has charged something to it and is going to, in all likelihood, go nuts? Better to nip fraud in the bud than fight later.

  23. Balisong says:

    @Buran: What likelihood? As I said, legitimate companies use whole dollar charges to verify an account. I’ve seen it twice in the past on my bank statements and I still have all my monies.

  24. Grrrrrrr, now with two buns made of bacon. says:

    It’s still a merchant’s responsibility to keep data safe. It’s the same amount of damage whether the numbers were kept in a database or intercepted by a third party. Yes, why *didn’t* anyone notice the connection to a strange IP address?

    I will no longer use my ATM card at Hannaford….or anywhere else for that matter. At least if somebody makes fraudulent charges against my credit card, I’m only liable for the first $50.00. I’d rather be on the hook for $50.00 than find that my bank account has been cleaned out.

    Does anyone know what responsibility the card-issuer has if somebody did that? Enquiring minds want to know.

  25. danno99 says:

    I don’t recall if the amount was exactly one dollar, but it was my bank that caught it and made me aware of it. I thought that they did a really good job of the whole thing.

  26. Balisong says:

    @danno99: Ah, I see. I learned about verification charges from my own bank when I freaked out over an unknown charge on my account. So your bank was probably right too. Good for them!