back to article Supermarket loses 4.2 million credit card details

A New England-based supermarket chain has warned of an information security breach that exposed an estimated 4.2 million credit card records. Hannaford said hackers might have accessed customer credit and debit card numbers - but not the corresponding names or addresses - after hacking into systems involving card authorisation …

COMMENTS

This topic is closed for new posts.
  1. Senor Beavis
    Coat

    TJ versus TK

    Why in the name of all that is holy is it TJ Maxx stateside and TK Maxx in Brit land?

  2. John Macintyre

    playing the dumb card

    I'm assuming this is all down to online shopping and not orders made in store right? Why do they need to hold the credit card details of that many cards after payment has been authorised and taken? And if it isn't online, why would they have the corresponding names and addresses for all those people, the two bits of information you're always meant to keep separate?

    Or is this my naivety, that once you purchase from a shop the company won't be interested in tracking your shopping habits every step of the way... almost makes me want to move back to cash payment again...

  3. Steve

    We need a disclosure law for the UK

    I like to indulge in a bit of traditional English xenophobia and casual racism as much as the next guy, but I can't believe that this is solely a problem for the merkins.

    At least when their monolithic corporations put all of their customers at financial risk they have to cough up to it.

  4. Jared Earle
    IT Angle

    @Beavis

    TK Maxx is so called so as not to be confused with TJ Hughes, apparently.

  5. Rob
    Coat

    @ Senor Beavis - wrong question.

    Instead of asking "Why is it TJ Maxx stateside and TK Maxx in Brit land?" you should be asking "which country do we have to go to to find TL Maxx"?

    It's the discounted designer one...

  6. citizenx

    Re: John MacIntyre

    >I'm assuming this is all down to online shopping and not orders made in store right?

    The article states "after hacking into systems involving card authorisation". That doesn't give any indication as to whether these are in store or not. Chances are the data would travel through the same system irrespective. So to jump on the internet fraud bandwagon at this stage would seem a little hasty/speculative.

    >Why do they need to hold the credit card details of that many cards after payment has been authorised and taken?

    Who said this occurred AFTER that?

    >And if it isn't online, why would they have the corresponding names and addresses for all those people, the two bits of information you're always meant to keep separate?

    The article clearly states "Hannaford said hackers might have accessed customer credit and debit card numbers - but not the corresponding names or addresses"

    >Or is this my naivety, that once you purchase from a shop the company won't be interested in tracking your shopping habits every step of the way... almost makes me want to move back to cash payment again...

    Companies DO track what you buy to build up a marketing profile. It's usually done via storecards rather than credit card data. Certainly, that would be unlawful in the UK and I expect so for the US (that said, the US do have some odd data protection legislation).

  7. Anonymous Coward
    Anonymous Coward

    Something doesn't fit here...

    If only credit card numbers and expirations were revealed, I believe that isn't enough for someone to execute fraudulent transactions, as, IIRC, one also needs the cardholder's name. How, then, do they get thousands of fraud cases using these numbers?

  8. RainForestGuppy
    Alert

    PCI Compliance

    Anybody working with Credit/Debit card info will be familiar with the PCI DSS v1.1. This is the standard insisted on by Mastercard/Visa/JCB/Diners/AMEX for handling Credit/Debit Card info.

    Unlike many standards i.e. FSA, DPA etc PCI DSS is very definite. It gives actual details of how your system must be set up, and every security professional I've spoken to says it's common sense and would help against info theft.

    In fact PCI stated that if TKMaxx had been fully PCI DSS compliant they would not have had the theft via a wireless AP, as it would have been configured correctly.

    The main problem is that the PCI especially in EU won't set a definite deadline for compliance. They also have a limit of a $500,000 fine for non-compliance. So for many companies Senior Management won't give it the necessary backing.

    If Mastercard/Visa etc really wanted to get PCI adopted, all they need to do is to either reduce their commission for companies that are compliant or increase it for companies that aren't.

    Because if it directly affected the bottom line, every CFO would be insisting that PCI was a top priority.

  9. Anonymous Coward
    Pirate

    It's still January here

    I live in Maine and occasionally shop at the local Hannaford. So I had a lovely talk with my CC company today. Nothing bogus has shown up (yet), but twixt the two of us we'll be keeping several sets of watchful eyes.

    I'm bummed that Hannaford a) took so long to discover they had been hacked and b) took as long as they did to come out with it. More full-disclosure is needed here too.

    Argh.

  10. Benjamin Wright

    definition of data security compromise

    Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a "data security breach" worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.) http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html

  11. Anonymous Coward
    Coat

    It's in store

    They use insecure wifi for credit card transactions, just like TJX did with all their stores, simple to monitor it and read off card numbers.

  12. Gaz

    Another snafu but...

    might not be as bad as it sounds. Card numbers by themselves are pretty useless. To make a transaction you'd need as a minimum the card holder's name, issue/expiry dates and cv2 code. Interestingly many card issuers don't need the address for verification.

  13. Michael

    I'm a Mainer

    that shops at Hannaford all the time, and am trying to figure out if someone is having a field day with my cash. Still trying to figure out if I need to cancel my account, but nothing has shown up as of yet. My mom thinks it's funny that she had to inform the family tech of such an event. She has an odd sense of humor.

  14. John A Blackley

    @benjamin wright

    After talking with a colleague in the area, I understand that the company made the disclosure on the advice of their legal staff - based on their legal staff's understanding of compliance with state law on disclosure.

  15. ImaGnuber
    Unhappy

    RE: definition

    "Spectacular announcements about massive data security breaches do the public little good. "

    Seems to be the attitude here in Canada as I can't remember the last time a 'data security breach' received wide coverage and like Steve (We need a disclosure law for the UK) I can't believe they aren't happening on a regular basis.

    Why should every one be announced, Benjamin? Because the only way to keep pressure on the bastards to secure information is to constantly wave the threat of embarrassment and possible loss of business as people lose faith.

    Actually I don't really think they're capable of being embarrassed so 'loss of business' is probably the only real threat.

  16. Jach
    Linux

    And again!

    Why am I seeing more and more of these cases with mass data breaches, and not less and less?

    Maybe they're using some sort of Windows back-end?

  17. Anonymous Coward
    Anonymous Coward

    @rainforestguppy

    I just assisted a friend in a PCI compliance audit and needless to say, the fines that are levied against merchants are NOT equal. TJ Maxx was a wake up call for the entire credit/debit industry (creditors, the processing companies and the service companies that write the transaction handling database software). Did anybody pay a damn bit of attention? No. Did anybody scream for sweeping reform? Hardly. Instead of doing what's right, by protecting the data through encryption, at every level... Or even reducing the number of hops a transaction has to take, between merchant/creditor/consumer, track data, account numbers and personal information gets bounced all over the place.

    I must qualify my last sentence based on the fact that only within the last year and a half (in my experience) software publishers are now finally warning merchants of the possible risks in using older software.

    The fines and penalties levied against TJ Maxx are no where near the same percentage that are placed on smaller merchants. For example, one business I worked on had approximately 1000 cards and $200,000 worth of fraudulent charges that were ultimately traced back to a compromised and unencrypted POS system they used. Once we got it all secured and mitigated, and went through several PCI compliance reviews, with fines and other associated costs, the business had to pony up almost $100,000. The happened to be more than 10% of their gross annual revenue and if they're lucky and can stay in business, they might become profitable again in 5 or so years.

    Yet TJ Maxx has a limit on the amount they're liable for? Sorry, but their entire executive board should be behind bars. And this store gets compromised and roughly 4.2 million cards are potentially compromised? They should be shut down. Period.

    Oh, as for the secret service... Unless the fraud amount is less than something in the high 6 digit range, they generally won't even return a phone call. We got more help from the FBI than the Secret Service, but sadly, due to the international nature of all the fraudulent transactions, their hands were somewhat tied.

  18. Anonymous from Mars
    Thumb Up

    Supermarket identity sweep

    "Supermarket identity sweep" - best tagline in a while.

    Unfortunately, John Q. Public doesn't care about issues like this at all. I remember a story like this only being mentioned in passing on the news channels because the top story was Paris bitching about having to go to jail.

  19. Anonymous Coward
    Happy

    All your data are belong to us

    LOL

    Chalk up another one for the dark-side !

  20. robert

    using just cc number and expiry

    I know of payment machines that take a credit card that dont require any pin or any other type of authorisation.. so dumping the cc number and exp to a card and then using it in one of these types of machines could be one way to defraud ?

  21. Gaz

    @robert

    It is possible for merchants to process transaction with just the name, card number, and expiry dates. In practice however very few are prepared to do so because of the extra liability they take on. For example if they go ahead with a transaction minus the cv2 code, the merchant and not the card issuer then becomes liable for chargebacks.

This topic is closed for new posts.