PORTLAND – Unauthorized software that was secretly installed on servers in nearly all of Hannaford Bros. Co.’s supermarkets paved the way for a massive data breach that compromised up to 4.2 million credit and debit cards, the company said Friday.
The Scarborough-based grocer confirmed a report in the Boston Globe that it told Massachusetts regulators this week about the link to the illicit computer program known as “malware.”
The company doesn’t know if the malware – industry shorthand for malicious software – was downloaded to the servers from a remote location or at each of the nearly 300 stores, Hannaford spokeswoman Carol Eleazer said.
“Virtually everything is possible,” she said. “There are still many, many aspects that we don’t totally understand.”
The company has said that the data theft, which occurred between Dec. 7 and March 10, took place as shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.
The malware installation was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick’s Office of Consumer Affairs and Business Regulation. Eleazer declined to release a copy, saying it was an attorney-to-attorney communication that was intended to be private.
The involvement of the software was not new information but rather “a level of detail that we’ve not shared previously because of the confidential nature of the investigation,” she said. The breach remains under investigation by the U.S. Secret Service.
The software was installed in all Hannaford stores in New England and New York, and in most of the company’s affiliated Sweetbay stores in Florida, Eleazer said.
At least 1,800 cases of fraud have been linked to the data breach, with unauthorized charges showing up as far afield as Mexico, Italy and Bulgaria.
The breach has prompted concern in the industry because it appeared to be the first large-scale theft of credit and debit card numbers while the information was in transit. The usual mode of attack targets data sitting in databases, as in the record-setting theft of information from Massachusetts-based TJX Cos. involving least 45 million cards.
Even while the Hannaford hack was still going on last month, the company was found to be in compliance with security standards required by the Payment Card Industry, a coalition founded by credit card companies.
Hannaford has declined to discuss specifics of its security system or spell out the extent to which its stores encrpyt payment data throughout the transmission process.
Send questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.