Stolen data and fraud: the Hannaford Brothers data breach.

Clapper, Danial L.

THE DATA THEFT

The first indication that Hannaford Brothers had a problem came on February 27, 2008 when they were notified by First Data--which handles transactions for Discover and American Express--about a high number of fraudulent charges on credit cards which had previously been used at Hannaford stores (Wickenheiser, 2008). Although Hannaford Brothers had never before been the victim of a data breach, they were now in the middle of an ongoing theft of customer information that would be one of the most publicized of2008 and ultimately lead to millions of their customers' credit card data being stolen. After being alerted by First Data, Hannaford Brothers notified the Secret Service and assembled a team of over thirty computer forensic experts to find the source of the data leak. At this point Hannaford Brothers had not notified the public and did not know how the data was being stolen. As they were trying to determine how the theft was occurring one thing was very clear: they had to figure it out quickly. The longer they took, the more customer data was being stolen. They had to find out what data was being stolen, how the thieves were stealing it and they had to do it fast.

Since credit card fraud was what alerted them to their ongoing data theft, the store's payment system was examined as a source of the data theft. Each of the Hannaford Brothers and affiliate stores had the same Point of Sale (POS) system architecture. Next to each cashier in the store was a POS terminal with a card reader. When the cashier had rung up all of the items in the order, if the customer wished to pay with a credit or debit card the customer's card would be swiped and their authorization data would travel from the POS terminal to an in-store server and then out to their transaction processor which would authorize the credit card for the purchase. Each store had one server and multiple POS terminals with card readers.

After more than a week of round-the-clock work the Hannaford Brothers forensic team determined that criminals somehow had managed to insert a malware program onto every one of the Hannaford Brothers in-store servers. They had managed to do this for all of the close to three hundred stores distributed throughout the northeast and Florida. The malware program was able to grab the data as it was being sent from the POS terminals to the in-store server as part of the authorization process and then add the data to a cache of stolen data. The malware would then regularly connect with an overseas Internet Service Provider (ISP) and send the most recent batch of stolen customer data out of the United States. This data theft was occurring despite the fact that Hannaford Brothers had a security firm to monitor its network security and their stores used a modern POS system that should have been secure (in fact, Hannaford Brothers had been featured in a 2005 Computerworld article as an example of a retailer aggressively updating and modernizing their POS system (Hoffman, 2005)).

There were a number of other reasons that Hannaford Brothers described this attack as "new and sophisticated". The first of these is the operating system of the computer the malware ran on. Most of the computers in the world use a Microsoft Operating system, but the malware that stole the data from Hannaford Brothers was designed to run on a computer running the Linux operating system. Although Linux is widely used as a server operating system (OS), only a small percentage of non-server machines run Linux and thus there has been little financial incentive for malware writers to create malware for Linux. This has led some to the conclusion that this malware was custom written and designed specifically for the Hannaford Brothers payment system. The uniqueness of this malware is also reflected in how difficult it was to find and indentify by the computer forensic team: it took a thirty person team of Secret Service and other computer forensic experts--working around-the-clock--over a week to find this malware program.

Another unusual aspect of this malware is that the criminals were able to place it on over three hundred servers distributed from Maine to Florida. Speculation about how this was done ranges from an inside job, to malware that moved from one server to the next until it was on all of the servers. But neither Hannaford Brothers nor the Secret Service has publicly detailed how this was achieved and it is possible that neither know. Another unusual aspect of this data breach is that the data was stolen in-transit during the authorization process. A more typical approach used by criminals is to target databases containing credit card data "at rest", i.e., stored in a database possibly during the daily batching process step. A Gartner report states that the Hannaford Brothers data breach was the first publicized case of sensitive card authorization data being stolen in transit (Litan, March 20, 2008)

Whether at-rest or in-transit, the payment card industry is very concerned about customer data being stolen. To enhance cardholder data security the Payment Card Industry Security Standards Council created the PCI Data Security Standard (PCI DSS). This standard is organized around a number of principles each with one or more requirements. The principles are: Build and Maintain a Secure Network; Protect Cardholder Data; Maintain a Vulnerability Management Program; Implement Strong Access Control Measures; Regularly Monitor and Test Networks; Maintain an Information Security Policy (PCI Security Standards Council, 2008). Under the Protect Cardholder principle there are two requirements: Requirement 3: Protect stored cardholder data and Requirement 4: Encrypt transmission of cardholder data across open, public networks. Since the malware at Hannaford Brothers stole the data in-transit it would appear that this requirement was not met, but public networks refers to external networks such as the Internet. Since the malware was on the server in each of the stores it was able to grab the data in-transit within the private store network. This data (while it was on the private store network) was not required to be encrypted to be in compliance with requirement 4. Hannaford Brothers was in PCI compliance at the time of the data breach and ironically its compliance was re-certified on February 27, 2008- -the same day they were originally notified of fraud problems (Kaplan, Hannaford tells regulators how breach happened, 2008).

By March 8, 2008 the company was confident that it had identified the malware that caused the data breach. It replaced all of the system hardware and rechecked the software (Hench, 2008). From a forensic analysis of their customer transactions Hannaford Brothers determined that over 4.2 million customer purchases from December 7, 2007 to March 8, 2008 may have been compromised. But what information precisely had been stolen? To understand the types of fraud that Hannaford's customers faced it was vital to determine the exact data that was stolen--that would determine the types of fraud that criminals could commit with the data.

THE STOLEN DATA

Credit cards contain two different types of storage: visible data on the surface of the card itself (either printed or embossed) and data stored in the magnetic stripe on the back of the card which can only be read by a card reader. The most important data stored on the card itself is the credit card number (Primary Account Number or PAN), which is typically embossed on the card and the CCV2 which is usually printed on the back of the card. The CCV2 is used to help prevent fraud in "Card-not-Present" transactions--such a purchase on the web--by helping to verify that the customer actually has physical possession of the credit card and not just a stolen credit card number (Visa U.S.A. Inc., 2007).

Hannaford Brothers is a retail grocer so the cards used were in a "Card Present" situation. In this situation the card is "swiped" as the customer pays for the purchase. In this setting, only magnetic stripe data is used for the transaction. As the card is swiped the Point of Sale (POS) terminal's card reader obtains the data it needs from the magnetic strip on the back of the card. The information stored on the magnetic strip is called "Track Data". When the card is swiped the data needed to authorize the purchase is read from the tracks.

In theory there can be as many as three separate tracks, but typically only the first or second tracks are used for a credit card transaction. The key data contained in the tracks are: Track 1 data: Primary Account Number (PAN)--this should be the same as the number that is embossed on the card; Customer Name; and Expiration Date. Track 2 data: Primary Account Number (PAN)--this should be the same as the number that is embossed on the card; and Expiration Date; The tracks may contain additional data, but this is the key data needed for transactions and which must be protected (Wikipedia, Viewed: June 22, 2009).

The simple act of making a purchase with a credit card results in a complicated process involving a surprising number of different entities. The most important entities are: Cardholder, Merchant, Merchant Bank (also called an Acquiring Bank or Acquirer), Card Issuer (also called an Issuer or Issuer Bank) and Card Association. The Cardholder is the authorized person attempting to use the credit card to make a purchase. The Merchant is the business (authorized to accept the credit card) who wishes to sell the item(s) to the cardholder. The Merchant Bank or Acquiring Bank is the financial institution who the merchant contracted with to accept credit card payments. The Card Issuer is the financial institution that provided the actual credit card to the card holder. The Card Association is Visa, Mastercard, Discover, etc.. (Visa U.S.A. Inc., 2007).

The complete process of using a credit card for a purchase is a four step process involving all of these entities that consists of the following: Authorization, Batching, Clearing and Settlement, and Funding. Authorization is the step where the issuer verifies to the merchant that they should accept the credit card for this transaction. In a retail setting like Hannaford Brothers (Card-Present) the authorization process begins when the customer or cashier swipes the credit card and ends when the cashier gets authorization approval and the customer can finish the purchase. In the Batching step all the customer transactions for the day are stored until usually the end of the day when they are submitted for clearing and settlement. During the clearing and settlement step the issuers pay the acquiring bank for the transactions. Finally, in the Funding step the acquiring bank pays the merchant for the transactions. From authorization to the merchant receiving the funds usually takes about three days (Bank of America, 2008).

The Hannaford Brothers forensic examination revealed precisely the data that was stolen during the data breach: Track 2 data from the cards used by the customers during their purchase. Given that the data was stolen during the authorization step, this makes sense because the key data needed for authorization is just the PAN and the amount of the purchase. No other data on the customer cards--either Track 1 or data printed or embossed on the card--was stolen during the data breach. Once Hannaford Brothers knew the exact data that was stolen during the data breach they could begin planning for the type of fraud that was most likely to be used by criminals to profit from the stolen data.

THE FRAUD

The ultimate goal of criminals is to use stolen credit card data to commit fraud. The precise nature of the fraud likely to be committed depends on the specific data stolen. If only credit card numbers (PANs) are stolen, the thieves are limited to credit card fraud and more precisely, Card-Present credit card fraud. A typical scenario for this would be for the criminals to create counterfeit credit cards for each of the stolen credit card numbers and then use these cards in retail stores to purchase merchandise that would later be re-sold to criminal fences or to unsuspecting people on websites such as eBay and Craigslist. If, on the other hand, the stolen data also includes Personal Identifying Information (PII) such as the customer's name, then the fraud possibilities greatly expand from simple credit card fraud to Identity Theft.

The broad definition of Identity Theft was given in the Fair and Accurate Credit Transactions Act of 2003 as: "A fraud committed or attempted using the identifying information of another person without authority'". A finer and more useful breakdown of Identity Theft yields the following two categories: Account Takeover and True Name identity theft. In Account Takeover the criminal uses the victim's personal information to take over existing accounts--often changing the mailing address of the accounts so that for a time the victim is unaware of the charges made to their accounts. In the True Name form of identity theft the thief uses the victim's personal information to open new accounts of which the victim is unaware. Because all billing would be sent to a different address and the victim is unaware of the existence of these new accounts, they represent a significantly greater risk to the victim than the account takeover form of identity theft.

HANNAFORD BROTHERS PUBLIC RESPONSE

By March 8, 2008 Hannaford Brothers are confident that they understand the source of the data breach, the specific data stolen and the types of fraud likely to be committed with the stolen data. On March 10, 2008 they send a list of the compromised customer credit card numbers to the major credit card associations. On March 13, 2008 these credit card associations provide a list of compromised credit card numbers to their member banks--without naming Hannaford Brothers as the source of the data breach. Then on March 17, 2008 after being asked about this incident by Massachusetts officials, Hannaford Brothers general counsel Emily Dickinson delivers a letter to Massachusetts Attorney General Martha Coakley and the Massachusetts Office of Consumer Affairs and Business Regulation disclosing the data breach and some of the details surrounding it. The letter was not released to the public but Hannaford Brothers notified the public with a press release and information pages on their website. Hannaford Brothers executives as well as Visa and Mastercard declined comment, but Carol Eleazer, vice president of marketing, acts as a liaison with the press. (Pereira, Corporate News: Data Theft Carried Out On Network Thought Secure, 2008; Naraine, 2008; Kerber, Hannaford case exposes holes in law, some say, 2008);

THE LAWSUITS

Within days of Hannaford publicly disclosing their data breach a number of class action suits were filed on behalf of their compromised customers. These multiple cases were consolidated into one case that was heard in the U.S. District Court in Portland Maine. A key question in the case was what should be the consequences to a company that allows its customer confidential information to be stolen? For at least 1,800 of its customers this theft resulted in the customer's credit cards being used fraudulently. While the rest of the over four million customer's credit cards were not used for fraud they had to bear the time and inconvenience of receiving new credit cards and checking to make sure their cards had not been used fraudulently. The lawsuit sought damages for this loss of time and money.

The plaintiffs also sought additional damages because they contended that Hannaford Brothers knew about the breach for at least three weeks before notifying its customers, thus knowingly exposing its customers during that time frame to stolen credit card numbers and fraud (Maxwell, Judge to decide if Hannaford data breach should go to trial, 2009).

THE AFTERMATH

On May 12, 2009 the federal judge hearing the Maine District case dismissed all but one of the claims against Hannaford Brothers. Judge D. Brock Hornby ruled that the only claims that could continue were customers who were not reimbursed by their banks for the fraudulent charges--which turned out to be only one customer. The judge ruled that merely being inconvenienced by the data breach (either by having to work with the credit card company to cancel fraudulent charges or by spending time monitoring the card for fraud) did not meet the legal definition of injury that would allow them to have a legal claim against the defendant. The judge wrote that "There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence. Maine law requires that there be a way to attach a monetary value to a claimed loss. These fail that requirement." (Maxwell, Judge tosses all but one Hannaford data breach claim, 2009)

Although it appears that Hannaford Brothers has avoided a long, costly class action suit from its compromised customers, the cost associated with the data breach are still very significant. Although they are confident they found the malware program that caused the data breach, to be safe they replaced all of the computer hardware. Although some of the forensic team who worked for over a week to uncover the malware were Secret Service experts, others were outside industry people who presumably had to be paid by Hannaford Brothers. Finally, to insure that a data breach of this type doesn't happen again Hannaford Brothers announced that it planned to spend millions of dollars on new technology to upgrade its IT security infrastructure (Vijayan, Paying breach bill may not buy Hannaford full data protection, 2008). On reviewing the intended security upgrades, industry experts said that the changes will exceed the PCI DSS security standards (Kaplan, After breach, Hannaford details IT security remodel, 2008).

DISCUSSION QUESTIONS

1. What data is stored on a credit card?

2. Which credit card data is used in Card-Present transactions? Which data is used in Card-Not-Present transactions?

3. Why is some of the data printed on the card and some of it stored in the magnetic stripe?

4. Describe the credit card authorization process and the entities involved.

5. How does the type of data stolen determine the types of fraud it can be used for?

6. What type of fraud could the stolen Hannaford Brothers data be used for?

7. How was the data stolen in the Hannaford Brothers data breach?

8. Hannaford Brothers described the cause of their data breach as a "new and novel" approach. Why?

9. Describe the PCI standard requirements that are most relevant to the Hannaford Brothers breach. Was Hannaford Brothers in compliance with these requirements?

10. In their public statements about the data breach, why did Hannaford Brother emphasize than no personal identifying information had been compromised?

11. Although Hannaford Brothers compromised payment card data for over four million customers, the Maine district course judge dismissed the class action suit before it could go to trial. Why?

12. Did Hannaford Brothers negligence lead to the data breach? Why or why not?

REFERENCES

Bank of America. (2008). Card Processing Basics. BankOfAmerica.com, Retrieved July 1, 2009, from http://www.bankofamerica.com/small_business/ merchant_card_processing/index.cfm?template=card_processingbasics.

Claburn, T. (2008, April 1). Hannaford Data Breach Blamed On Malware. Information Week, Retrieved July 1, 2009, from http://www.informationweek.com/news/security/ showArticle.jhtml?articleID=2070010 73.

Gallagher, N. (2008, March 20). Data stolen from Hannaford during transit. Portland Press Herald Maine Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/story.php?id=176693.

Hench, D. (2008, April 6). Much remains a mystery in analysis of Hannaford security breach. Portland Press Herald Maine Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/story.php?id=179920&ac=.

Hoffman, T. (2005, January 21). Grocer rings up savings with Linux cash registers: Hannaford says the new POS systems boost productivity. Computerworld, Retrieved July 1, 2009, from http://www.computerworld.com/softwaretopics/software/apps/ story/0,10801,99344,00 .html.

Kaplan, D. (2008, April 2003). After breach, Hannaford details IT security remodel. SCMagazine, Retrieved July 1, 2009, from http://www.scmagazineus.com/After-breach-Hannaford- details-IT-security-remodel/article/109341/.

Kaplan, D. (2008, April 1). Hannaford tells regulators how breach happened. SC Magazine, Retrieved July 1, 2009, from http://www.scmagazineus.com/ Hannaford-tells-regulators-how-breach-happened/article/108569/.

Kerber, R. (2008, March 28). Advanced tactic targeted grocer. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/news/local/articles/ 2008/03/28/advanced_tactic_targeted_grocer/.

Kerber, R. (2008, March 18). Grocer Hannaford hit by computer breach. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/business/articles/2008/03/18/ grocer_hannaford_hit_by_computer_breach.

Kerber, R. (2008, March 30). Hannaford case exposes holes in law, some say. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/business/articles/2008/03/ 30/hannaford_case_exposes_holes_in_law_some_say/.

Krebs, B. (2009, April 15). Glut of Stolen Banking Data Trims Profits for Thieves. The Washington Post, Retrieved July 1, 2009, from http://voices.washingtonpost.com/securityfix/2009/ 04/glut_of_stolen_banking_data_tr.html.

Krebs, B. (2008, May 14). Three Charged With Hacking Dave & Buster's Chain. The Washington Post, Retrieved July 1, 2009, from http://voices.washingtonpost.com/securityfix/2008/ 05/three_charged_with_hacking_dav.html.

Liberty Alliance Project. (2005). Identity Theft Primer.

Litan, A. a. (March 20, 2008). Hannaford Case Shows Need for End-toEnd Card Data Security. Gartner Inc.

Maxwell, T. (2009, April 2). Judge to decide if Hannaford data breach should go to trial. Portland Press Herald Main Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/story.php?id=248452.

Maxwell, T. (2009, May 13). Judge tosses all but one Hannaford data breach claim. Portland Press Herald Maine Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/ story.php?id=256153&ac=PHbiz.

McGlasson, L. (2008, April 4). Hannaford Data Breach May be 'Tip of the Iceberg'. BankSecurity.com, Retrieved July 1, 2009, from http://www.bankinfosecurity.com/articles.php?art_id=810.

Naraine, R. (2008, March 28). Targeted Malware Used in Hannaford Credit Card Heist. Eweek, Retrieved July 1, 2009, from http://www.eweek.com/c/a/Security/ Targeted-Malware-Used-in-Hannaford-Credit-CardHeist/ ?kc=EWKNLSTE040108STR5.

PCI Security Standards Council. (2008). Payment Card Industry (PCI) Data Security Standard, Version 1.2. PCI Security Standards Council.

PCI Security Standards Council. (2008). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures Version 1.2. PCI Security Standards Council.

Pereira, J. (2008, March 18). Chains Report Stolen Card Data. Wall Street Journal, p. B. 4.

Pereira, J. (2008, March 31). Corporate News: Data Theft Carried Out On Network Thought Secure. Wall Street Journal, p. B4.

Sharp, D. (2008, March 17). Hannaford supermarket chain reports data breach. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/business/articles/2008/ 03/17/hannaford_supermarket_chain_reports_data_breach/.

United States Government Accountability Office. (2007, June). Personal Information: Data Breaches are Frequent, but Evidence of Resulting Identity Theft Is Limited; However the Full Extent is Unknown. GAO Report , pp. 13-14.

Verizon Business RISK team. (2009). 2009 Data Breach Investigations Report. Verizon.

Vijayan, J. (2008, March 20). Hannaford hit by class-action lawsuits in wake of data-breach disclosure. Computerworld, Retrieved July 1, 2009, from http://www.computerworld.com/action/article.do?command =viewArticleBasic&articleId=9070281.

Vijayan, J. (2008, April 28). Paying breach bill may not buy Hannaford full data protection. Computerworld, Retrieved July 1, 2009, from http://www.computerworld.com/action/ article.do?command=viewArticleBasic&articleId=317307.

Visa U.S.A. Inc. (2007). Rules for Visa Merchants--Card Acceptance and Chargebck Management Guidelines. Visa U.S.A. Inc.

Wickenheiser, M. (2008, April 23). In wake of breach, Hannaford steps up security. Portland Press HeraldMain Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/story.php?id=183271&ac=&pg=1.

Wikipedia. (Viewed: June 22, 2009). Magnetic Stripe Card. http://en.wikipedia.org/wiki/Magnetic_stripe_card.

Danial L. Clapper, Western Carolina University