http://securityratty.com/tag/sweetbay Sun, 16 Mar 2008 21:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/c1b967b003725194a9e1a04d3dc456b8 http://securityratty.com/article/c1b967b003725194a9e1a04d3dc456b8 Security Breach

Date Reported:
3/17/08

Organization:
Delhaize Group

Contractor/Consultant/Branch:
Hannaford Bros. Co
Sweetbay Supermarket

Victims:
Customers of Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.

Number Affected:
4,200,000

Types of Data:
Credit card and debit card information

Breach Description:
"New England grocery chain Hannaford Brothers says a security breach has exposed 4.2 million customer credit- and debit-card numbers to scammers, with 1,800 fraud cases already reported."  Anyone who used a credit or debit card between December 7, 2007 and March 10, 2008 at any one of the 165 Hannaford stores in the Northeast or 106 Sweetbay stores in Florida is a potential victim of this breach.

Reference URL:
Message from Hannaford CEO Ron Hodge
The Boston Herald
The Wall Street Journal
The Boston Globe
PC World

Report Credit:
Hannaford Bros. Co.

Response:
From the online sources cited above:

BOSTON -- Two grocery store chains -- Hannaford Bros. and Sweetbay Supermarket -- both owned by Belgium-based Delhaize Group SA, suffered a credit-card data breach, the companies said Monday.

Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.

exposed about 4.2 million credit and debit card numbers

about 1,800 cases of fraud have been tied to the breach
[Evan] This is probably a hint as to how Hannaford became aware of the breach.  I am guessing that Hannaford was clueless until investigators contacted them.

evidence of unauthorized uses of card data have surfaced in Houston, Detroit, San Francisco, France and Brazil.

We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.
[Evan] Their information security is "among the strongest in the industry"?  Here is a hint as to how the information was illegally obtained, "during transmission of card authorization".

The intrusion affected Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.

Hannaford operates 165 stores in the Northeast. There are 106 Sweetbay supermarkets in Florida.

the breach began on Dec. 7 and continued until last Monday.

Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected. We also alerted law enforcement authorities, and are working closely with them to help identify those responsible.

the U.S. Secret Service is investigating the possibility that Track 2 data -- including PIN numbers and expiration dates contained on credit cards -- were compromised

We realize this incident may raise concerns and questions for our customers, and we sincerely regret any inconvenience this attack on our system may cause you. As always, we appreciate you choosing to shop at Hannaford. We remain committed to providing you with the finest foods and a clean, friendly and secure shopping experience.
[Evan] This will be my understatement of the day, "We realize this incident may raise concerns and questions for our customers".  You think?  The banks are probably a little torqued too!

Commentary:
This is going to be another legal battle.  State and/or federal legislators are going to want more laws and regulations.  The consumers are caught in the middle, and the banks are going to want their money back.  4.2 million credit and debit card number heisted over a three month period is pretty hard to explain away.

How do you suppose the data was captured by thieves?  I know that Hannaford claims "during transmission of card authorization", but where?  Was the data captured while it was in transit over a public network?  The Payment Card Industry Data Security Standard (PCI DSS) states:
"Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easy and common for
a hacker to intercept, modify, and divert data while in transit." 
It's hard for Hannaford to claim they didn't know.

I sincerely hope that the statement "our systems, which we believe, are among the strongest in the industry", isn't true.  If it is, then we are in for a lot more breaches like this one, and more regulations to comply with.

This breach reminds me of a conversation I had a few years ago with the head of information security for a top 10 US bank.  He complained to me for ten minutes about how he was being forced to spend three million dollars encrypt data data between ATMs and central processing.  He claimed that the bank doesn't really have to be "secure", it only needs to be more secure that the next guy.  Believe it or not, he is still the head of security at the same bank.  Oy vey.

Past Breaches:
Unknown

]]> Mon, 17 Mar 2008 21:07:06 +0000 credit hannaford breach description breach credit-card data breach carry hannaford products information personal information information security Hannaford and Sweetbay supermarkets announce compromise of 4.2 million credit and debit cards http://securityratty.com/article/4c55bd17b8ff34d508e45417aa7cf359 http://securityratty.com/article/4c55bd17b8ff34d508e45417aa7cf359 Sun, 16 Mar 2008 21:00:00 +0000 data thieves debit card million credit sweetbay hannaford monday computers Data thieves steal credit card data from supermarket chain