The surprising attack on a supermarket's network shows the importance of sweeping for malware.
It started with a single piece of malware on a single machine. But that malicious software was then forwarded to some 300 computer servers for the Hannaford supermarket chain. With that, the credit-card information of millions of people, primarily from New England and Florida, was set upon by thieves.
It was particularly disturbing that this piece of malware enabled hackers to steal someone's credit-card number while it was in transit. The thieves could access data from the moment customers swiped their card at the checkout, as the data made its way to the grocers' database. In most data-theft cases, credit-card numbers are stolen from massive databanks that have been hacked.
Hannaford had been certified as meeting PCI (Payment Card Industry) data-protection standards in February 2007. In a letter from Hannaford to government officials in Massachusetts, the company explained that the malware intercepted the data stored on the magnetic strip of a payment card. When someone paid with plastic, the card's number and expiration date made their way to the hackers.
The Boston Globe's Ross Kerber, who broke the story, reported that information security experts were somewhat flummoxed by this novel and frightening approach to data theft. It demonstrates the skill and persistence of hackers, who continually uncover the weakest links in computer networks.