It started with a single piece of malware on a single machine. But that malicious software was then forwarded to some 300 computer servers for the Hannaford supermarket chain. With that, the credit-card information of millions of people, primarily from New England and Florida, was set upon by thieves.
It was particularly disturbing that this piece of malware enabled hackers to steal someone's credit-card number while it was in transit. The thieves could access data from the moment customers swiped their card at the checkout, as the data made its way to the grocers' database. In most data-theft cases, credit-card numbers are stolen from massive databanks that have been hacked.
Hannaford had been certified as meeting PCI (Payment Card Industry) data-protection standards in February 2007. In a letter from Hannaford to government officials in Massachusetts, the company explained that the malware intercepted the data stored on the magnetic strip of a payment card. When someone paid with plastic, the card's number and expiration date made their way to the hackers.
The Boston Globe's Ross Kerber, who broke the story, reported that information security experts were somewhat flummoxed by this novel and frightening approach to data theft. It demonstrates the skill and persistence of hackers, who continually uncover the weakest links in computer networks.
"In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, [Mass.,] where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data – sometimes in violation of payment industry standards – at central locations in their computer networks," the Globe wrote.
Hannaford, however, says it does not hold on to such personal information – a precaution it hoped would protect its customers from large-scale breaches. But the thieves nabbed the data at a point in the transaction process that neither stores nor banks are responsible for safeguarding under the PCI standards. It's a strange loophole in the industry regulations that many sides are now working to plug.
Think of it this way: Rather than trying to break into the heavily protected bank, hackers found a way to snatch the information while it was being carried, with minimal protection, into the bank.
More than a few security specialists suspect it was an inside job – that someone helped get the malware onto the computers. There are no signs of that yet, but you can bet federal investigators will be asking a lot of questions.
In a roundabout way, Hannaford's problem may become your problem. When I've written about the subject of malware in the past, I've basically said most people are fine.
You need security protection, of course. But hackers have been interested primarily in getting into large databases of information – your one credit-card number isn't worth their time and effort. I'm not sure about that anymore. Increasingly sophisticated malware is quickly changing the equation, and the Hannaford case shows how smart the bad guys are.
For those unfamiliar with malware, it's software designed to infiltrate, hide in, or damage computers. It tries to install itself without a person's knowledge. Malware can include computer viruses such as worms and Trojan horses, but the category also includes spyware, dishonest adware, keystroke loggers, dialers, and other malicious and unwanted software.
Malware is most often identified by its intent. Often, the creator of a malware program has a specific purpose: The individual may want information of some kind, or want to damage a particular institution or individual.
Malware can also just be plain annoying. Your computer's running slow? Often it's adware and spyware sucking down your PC's processing power.
Malware can find its way onto your computer in many, many ways. Sneaking in via e-mail is just one route. Websites can drop adware on your computer, as can blogs or electronic gadgets. (A recent line of digital picture frames came with a virus installed on them.)
Many of these devices come from China, and experts say viruses and malware make their way onto equipment because of poor quality control. It's the computer equivalent of toys coated with lead paint.
One shield against malware is to get a good program like Ad-Aware. (Just Google it.) The software is offered free of charge, but there is also a fee-based version. The free one works great for most people. I run mine every two or three days and I am almost always amazed at how much stuff has made its way on to my computer since I last ran the program. But there are lots of other programs: SpywareGuard, Norton Internet Security, and CounterSpy. With these installed, you can sleep better, and if nothing else, your computer should run better.
In a case like Hannaford's, it's a bit more complicated.