Hannaford Breach Followup: Malware on All of Their Servers

By PatB
Contributing Writer, [GAS]

“All your groceries are belong to us.”

According to a ComputerWorld article, the Hannaford Breach was not just a single keylogger installed at a critical point in the enterprise. Malware was installed on each and every server that handled the credit card processing at their stores in New England, Florida and New York. That’s a lot of breaches.

From CW here:

Hannaford Bros. Co. disclosed this week that the intruders who stole up to 4.2 million credit and debit card numbers from the grocer’s systems did so by planting malware programs on servers at each of its stores in New England, New York and Florida.

The malicious software was used to intercept the payment card data as the information was being transmitted from Hannaford’s point-of-sale systems to authorize transactions. The malware then forwarded the stolen card numbers as well as their expiration dates to an overseas destination.

The discovery of the mass malware installation prompted a wholesale replacement of Hannaford’s store servers. In addition to disclosing that the malware had been installed on all of Hannaford’s store servers it was designed to intercept the so-called Track 2 data that is stored in the magnetic stripe on the back of payment cards. The malware then batched the card numbers and expiration dates and “periodically transmitted the data to an offshore ISP.

The article goes on to note that Hannaford is still not sure how someone broke into the system, and laughably, they even think maybe an insider was to blame. But a network so poorly protected to allow hundreds of servers to be breached without notice and to allow data to be exfiltrated for months points more readily to poor design, poor management, and poor security.

The most likely scenario was a simple breach of a workstation by a trojan horse program installed by an unwitting employee. The operator of the trojan then simply scanned the internal network and realized that there were no safeguards in place and proceeded to backdoor each server.

At least Hannaford is proceeding with recovery in accordance with best practices. They are replacing the breached servers with new fully patched systems to avoid any lingering malware that may reside on a system that was simply “cleaned.” The old hard drives are likely in the hands of the FBI and Secret Service for forensic analysis.

Advertisements
Advertisement




8 Responses to Hannaford Breach Followup: Malware on All of Their Servers

  1. /me dies

    Any word on what OS those servers were running? If Windows, was there at least some AV on there? Were they patched? I mean, was there any sort of anything even *close* to best-practice going on? Or even mediocre-practice?

    • Hey Jesmond, you work at GFI? Awesome company, awesome products :)

      Glad to have one of you guys read [GAS] :)

  2. From memory, I believe that the Track 2 data contains the credit card number and expiry date. Track 1 contains the cardholder's name.

    I would hope that most payment processors require the name to be absolutely correct when working with internet payments. This should stop most of the fraud done that way.

    However, it wouldn't take a lot of work to overwrite the Track 2 data on an old card and use swipe + signature to make purchases.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.