Academic journal article Journal of the International Academy for Case Studies

Stolen Data and Fraud: The Hannaford Brothers Data Breach

Academic journal article Journal of the International Academy for Case Studies

Stolen Data and Fraud: The Hannaford Brothers Data Breach

Article excerpt

THE DATA THEFT

The first indication that Hannaford Brothers had a problem came on February 27, 2008 when they were notified by First Data--which handles transactions for Discover and American Express--about a high number of fraudulent charges on credit cards which had previously been used at Hannaford stores (Wickenheiser, 2008). Although Hannaford Brothers had never before been the victim of a data breach, they were now in the middle of an ongoing theft of customer information that would be one of the most publicized of2008 and ultimately lead to millions of their customers' credit card data being stolen. After being alerted by First Data, Hannaford Brothers notified the Secret Service and assembled a team of over thirty computer forensic experts to find the source of the data leak. At this point Hannaford Brothers had not notified the public and did not know how the data was being stolen. As they were trying to determine how the theft was occurring one thing was very clear: they had to figure it out quickly. The longer they took, the more customer data was being stolen. They had to find out what data was being stolen, how the thieves were stealing it and they had to do it fast.

Since credit card fraud was what alerted them to their ongoing data theft, the store's payment system was examined as a source of the data theft. Each of the Hannaford Brothers and affiliate stores had the same Point of Sale (POS) system architecture. Next to each cashier in the store was a POS terminal with a card reader. When the cashier had rung up all of the items in the order, if the customer wished to pay with a credit or debit card the customer's card would be swiped and their authorization data would travel from the POS terminal to an in-store server and then out to their transaction processor which would authorize the credit card for the purchase. Each store had one server and multiple POS terminals with card readers.

After more than a week of round-the-clock work the Hannaford Brothers forensic team determined that criminals somehow had managed to insert a malware program onto every one of the Hannaford Brothers in-store servers. They had managed to do this for all of the close to three hundred stores distributed throughout the northeast and Florida. The malware program was able to grab the data as it was being sent from the POS terminals to the in-store server as part of the authorization process and then add the data to a cache of stolen data. The malware would then regularly connect with an overseas Internet Service Provider (ISP) and send the most recent batch of stolen customer data out of the United States. This data theft was occurring despite the fact that Hannaford Brothers had a security firm to monitor its network security and their stores used a modern POS system that should have been secure (in fact, Hannaford Brothers had been featured in a 2005 Computerworld article as an example of a retailer aggressively updating and modernizing their POS system (Hoffman, 2005)).

There were a number of other reasons that Hannaford Brothers described this attack as "new and sophisticated". The first of these is the operating system of the computer the malware ran on. Most of the computers in the world use a Microsoft Operating system, but the malware that stole the data from Hannaford Brothers was designed to run on a computer running the Linux operating system. Although Linux is widely used as a server operating system (OS), only a small percentage of non-server machines run Linux and thus there has been little financial incentive for malware writers to create malware for Linux. This has led some to the conclusion that this malware was custom written and designed specifically for the Hannaford Brothers payment system. The uniqueness of this malware is also reflected in how difficult it was to find and indentify by the computer forensic team: it took a thirty person team of Secret Service and other computer forensic experts--working around-the-clock--over a week to find this malware program. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.