Monday, March 24, 2008
In a disclosure that may mark the first publicly known breach of a Payment Card Industry (PCI) Data Security Standard (DSS) compliant merchant, computer hackers obtained the credit and debit card numbers of approximately 4.2 million customers after cracking the database at Hannaford Brothers Co., an East Coast supermarket chain.
Hannaford, a wholly owned subsidiary of Delhaize Group, Delhaize America, maintains that it was compliant with the PCI DSS when cardholder data was illegally accessed from Hannaford's computer systems during the card authorization transmission process.
New Hampshire's Service Credit Union claimed that 5,500 of its cardholders' data were breached – a majority of that data was taken from PIN-based transactions. Credit card users are normally only responsible for the first $50 on fraudulent charges. That rule varies for debit cards.
SCU and State Employees Federal Credit Union of New York have begun issuing new cards to more than 30,000 of its customers that may have been involved in the breach. Other credit unions and banks are expected to follow suit.
The intrusion impacted 165 stores in the northeast, as well as 106 Sweetbay Supermarkets in Florida. Hannaford insists no personal data such as names, addresses or telephone numbers were divulged.
The breach began on Dec. 7, 2007, and wasn't contained until March 10, 2008, according to Carol Eleazer, Hannaford's Vice President of Marketing in Scarborough, Maine. Company officials became aware of the breach on Feb. 27, 2008, Eleazer said.
On March 17, 2008, Hannaford released a statement on its Web site that there had been "theft of credit and debit card numbers and expiration dates during transmission of card authorization."
Eleazer also noted that Hannaford had been using data encryption all of last year. "We were certified [PCI compliant] last spring and recertified February ," she said.
Eleazer did not have further details about how the fraud occurred. It is currently under investigation by the U.S. Secret Service, along with experts inside and outside the company.
Although there has been theft of cardholder data sitting in databases maintained by merchants or card processors, this latest breach possibly represents a new line of attack. "This is the first publicly disclosed breach of data in transit," said Avivah Litan, Vice President, Distinguished Analyst in Security and Privacy for Gartner Inc.
Though the PCI compliance rules handle such issues as how employees should be screened and precautions against hackers, it does not audit companies to ensure compliance. This function is performed by outside assessors; the identity of Hannaford's auditor was not disclosed.
That Hannaford could be compliant and still be vulnerable to a massive breach raised questions about whether other merchants are falsely confident about their security.
David Navetta, President of InfoSecCompliance LLC, a law firm that concentrates on computer security and regulatory compliance, argued that Hannaford and its assessor may have been confused by ambiguity in the PCI standards. Critics argue that standard encryption requirements make it easy and common for hackers to intercept data. What is more likely, according to Navetta, is that Hannaford may have felt erroneously safe leaving data unencrypted in a place that turned out to be vulnerable.
Litan argued that the banking industry needs to make it harder for thieves to put stolen credit card data to use. "Requiring PINs on credit card transactions would remove 75 to 90 [percent] of the fraud in the system," she said. She also suggests that the auditors may place "too much focus on data at rest and not enough on who can see data in transit."
For Hannaford, the litany of problems associated with the breach may already be manifesting itself: On March 18, 2008, Bangor, Maine-based attorney Samuel Lanham Jr. filed a class action lawsuit on behalf of all consumers in the United States whose credit or debit card data was stolen from the computer networks of Hannaford. The following day, the law firm of Berger & Montague P.C. also filed a suit.
The complaint alleges that Hannaford was negligent for failing to maintain adequate computer data security of customers data that was later accessed and stolen.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.