Latest Retail Breach Targets Data During Transmission
The grocery chain Hannaford Bros. Co. was hit by a sizable data breach from December 2007 to March 2008. Mastercard and Visa have notified member banks about the breach which involved the theft of card numbers and expiration dates during authorization transmissions. Unlike other breaches, this didn't go after stored data but it seems to have been successful enough that as many as 4.2 million accounts may have been compromised.
Gartner analyst Avivah Litan is quoted in ComputerWorld:
"Thieves are going after data in transit," she said, noting that as companies get better at protecting stored data, more attackers are targeting information while it's being transmitted. According to Litan, many merchants still don't encrypt such data, even though doing so is a requirement under the industry security standard, which is known by the acronym PCI.
Hannaford claims in a Customer Questions posting that:
our security measures meet industry compliance standards and many go above and beyond what is required by industry standards.
which would seem to indicate compliance with PCI. If the data was encrypted with a modern algorithm (e.g. AES) then one wonders if keys were compromised. Or, is there some point in the transaction workflow where the data is unencrypted and stolen at that point? I hope more details are disclosed about the breach - however the breach occurred there, it could happen elsewhere.
An advisory on the company Web site suggest customers check their card statements an contact the company's Customer Information Center at 866-591-4580 with questions.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
