Stolen data and fraud: the Hannaford Brothers data breach.(Instructor's Note)
Clapper, Danial L.
CASE DESCRIPTION
The primary subject matter in this case is an in-depth look at one of the most well known data breach victims of 2008: the Hannaford Brothers grocery chain. This case can be used as a short case illustrating how an organization can become a data breach victim, the type of data criminals are interested in stealing, how they use stolen data to commit fraud and the possible legal consequences of allowing confidential information to be stolen.
To facilitate a more in-depth analysis if desired, the case and discussion questions are grouped into the following dimensions: Credit card data and processes, Credit card fraud and Identity Theft, Technical details of how the criminals accomplished the data theft and the legal aspects of the lawsuits that resulted from the data breach. Any or all of these dimensions can be explored in more depth by either the entire class or different student groups.
The basic case has a difficulty level of one or two and is suitable for a general undergraduate business course. With a deeper exploration of one or more of the above dimensions the case could be used to better understand criminal data theft and fraud in an upper-level accounting or finance course. More time spent on how the data was stolen would be appropriate for an information security course, particularly with an emphasis on information technology. It could also be used in a business law or issues course to explore the legal environment surrounding data breaches, customer notification and possible legal consequences of a data breach. The basic case is designed to be taught in three class hours and is expected to require three hours of preparation by students.
CASE SYNOPSIS
Hannaford Brothers Company is a regional grocery company with stores throughout eastern United States. On March 17, 2008 Hannaford Brothers announced that it had been the victim of a malware attack it characterized as "new and sophisticated" which resulted in over 4.2 million credit and debit card numbers being compromised. In every one of its close to 300 grocery stores in Maine, Vermont, New Hampshire, Massachusetts, New York and Florida the malware had intercepted credit and debit card data after the customers swiped their card at the checkout counters. This stolen credit card data was fraudulently used in at least 1,800 cases in the U.S. as well as Mexico, Bulgaria and Italy. On March 19, 2008 an attorney in Maine filed a class-action lawsuit against Hannaford Brothers. Other lawsuits followed shortly.
This case explores one of the most notorious data breaches of 2008--a year which according to one report had more records compromised than the preceding four years combined. Students will learn how the data was stolen, how criminals used the stolen data to commit fraud, the security standards in place to protect data and the results of the lawsuits against Hannaford Brothers.
INSTRUCTORS' NOTES
Recommendations for Teaching Approaches
In the case typology suggested by Lynn (Lynn, 1999) this case is an "Illustrative Case". It illustrates how an organization--even when it's IT security meets industry standards--can fail to protect its customer's data when confronted with clever, high-tech criminals. Because it is an illustrative case it was designed to be used to explore a number of quite different dimensions of a data breach.
It is recommended to first discuss the timeline of the key events and responses for the data breach. That timeline is shown in the next section.
Next the instructor can explore any or all of the following dimensions: the nature of credit card data and the processes and entities involved in making a credit card purchase, how criminals use stolen data to commit fraud, how the criminals engineered the Hannaford Brothers data breach, and the legal issues Hannaford Brothers faced after publicizing its data breach. Although the case is self-contained, it is designed to allow instructors to drill down into any or all of these dimensions. To facilitate that deeper exploration, in these Instructors' Notes answers to the Discussion Questions have been grouped as follows: Credit Card Data (1-4), Fraud (5-6), The Data Theft (7-9), and Lawsuits (10-12). Each of these sections contains specific advice and suggestions for that dimension.
This approach gives the instructor a great deal of flexibility to explore the dimensions most relevant to their course. An introductory course for business students may want to use this as a short case with just the material contained in the case. An accounting or finance course may want to further explore the nature of credit card data, the processes and entities involved in the credit card process and the nature of credit card fraud and identity theft. A Computer Information Systems course could further explore the technical aspects of how the data theft occurred, the IT security standards for the payment card industry and how the data breach was able to occur despite the standards being met. Finally, a business law course could certainly do a much more in-depth exploration of the plaintiff and defendants positions in the class action suit and the ruling of the judge on the case.
It is recommended that some in class time be devoted to students working on their associated questions, but much of their preparation time will likely be spent out of class. To facilitate independent student exploration, the case Reference section has URLS for almost every resource reference used in the case. In most circumstances these references will be all the resources students need to gain a thorough understanding of all the dimensions of this case. Timeline
Data breach begins: December 7, 2007. The data breach begins--unknown to Hannaford Brothers at the time
A problem is detected: February 27, 2008: Hannaford is notified by First Data--which handles transactions for Discover and American Express--about a high number of fraudulent charges on credit cards which have previously been used at Hannaford stores (Wickenheiser, 2008). The company notifies the Secret Service which assembles a team of computer forensic experts to investigate. The team of over 30 information technology experts works around the clock for over a week before they discover the malware program which is stealing the credit card data.
The malware is identified: March 8, 2008: The company feels that it has identified the malware that has caused the data breach. It then replaces all of the system hardware and rechecks the software (Hench, 2008).
March 10, 2008: Hannaford sent a list of the compromised customer credit card numbers to the major credit card associations.
March 13, 2008: These credit card associations notified their member banks of the compromised numbers--without naming Hannaford Brothers as the source of the data breach
March 17, 2008: After being asked about this incident by Massachusetts officials, Hannaford Brothers general counsel Emily Dickinson delivers a letter to Massachusetts Attorney General Martha Coakley and the Massachusetts Office of Consumer Affairs and Business Regulation disclosing the data breach and some of the details surrounding it. The letter was not released to the public but Hannaford Brothers notified the public with a press release and information pages on their website. (Pereira, Corporate News: Data Theft Carried Out On Network Thought Secure, 2008; Naraine, 2008; Kerber, Hannaford case exposes holes in law, some say, 2008);
March 19, 2008: An attorney in Maine files a class-action lawsuit against Hannaford Brothers. Other lawsuits follow and are later combined into a class action lawsuit.
May 12, 2009: Federal court judge Brock Hornby dismisses all but one of the class action claims against Hannaford Brothers.
Credit Card Data and Process Dimension
This dimension could be explored by one group or two. If two groups are used, the groups could be Credit Card Data (Questions 1-3) and Credit Card Processes and Entities (Question 4). Either of these topics could be explored by any business undergraduate or graduate student--no particular major is required, although Accounting and Finance students may find it particularly relevant.
The Credit Card Data group can rely on the Wikipedia source (Wikipedia, Viewed: June 22, 2009). While Wikipedia may not be the most ideal source, this article does a nice job of explaining some technical material in a clear manner. Other reference sources are going to be hard to come by and tend to be much too technical for the purposes of this case. This topic is the foundation for understanding the Fraud section and getting students to start looking at data with a finer perspective--not all data is equal and if your organization is a victim of a data breach there are very different responses and likely repercussions depending on the exact data that is compromised.
Credit Card Process and Entities is not core to the case and therefore can be treated as optional. However, if it fits with the course, this would be a nice opportunity for students to gain an understanding of what's going on behind the scenes when they or their customers use a payment card for a purchase. The Hannaford Brothers data was stolen during the Authorization step--so it could be the students focus entirely on that step--but again this might be a good opportunity to get a look at all the steps involved from authorization to funds being transferred. It is not a trivial set of steps and students may find it a little eye-opening. The Visa document for merchants (Visa U.S.A. Inc., 2007) is an excellent reference for this and it contains some nice, clear graphics which the students may be able to incorporate into a presentation. The Bank of America source (Bank of America, 2008) also has an excellent graphic showing both the process steps and the entities involved. These two sources will probably be all the students need for this topic.
1. What data is stored on a credit card?
Credit cards contain data contained in two different types of storage: visible data on the surface of the card itself (either printed or embossed) and data stored in the magnetic stripe on the back of the card which can only be read by a card reader. The most important data stored on the card itself is the credit card number (Primary Account Number or PAN), which is typically embossed on the card and the CCV2 which is usually printed on the back of the card.
The information stored on the magnetic strip is called "Track Data". When the card is swiped the data needed to authorize the purchase is read from the tracks. There are three separate tracks, but typically only the first and second tracks or second tracks are used for a credit card transaction. The key data contained in the tracks are:
Track 1 data: 1. Primary Account Number (PAN)--this should be the same as the number that is embossed on the card, 2. Customer Name and 3. Expiration Date.
Track 2 data: 1. Primary Account Number (PAN)--this should be the same as the number that is embossed on the card, 2. Expiration Date.
The tracks may contain additional data, but this is the key data needed for transactions and which must be protected.
Note that of the two tracks commonly used in payment cards (Track 1 and Track 2) only Track 1 has personal identifying information--the card holder's name. So if a criminal steals only Track 2 data--as was the case in the Hannaford Brothers breach--the stolen data can only be used for credit card fraud, not for Identity Theft. This will be explored in more detail in the Fraud section.
2. Which data is used in Card-Present transactions? Which data is used in Card-Not-Present transactions?
In a typical retail setting--such as the Hannaford Brothers grocery stores--both the customer and their card is physically present for the transaction. This is the "Card Present" situation. In this situation the card is "swiped" as the customer pays for the purchase. In this setting, the non-stripe data is not used as part of the transaction. So the data either printed or embossed on the card is not used as part of the transaction. Instead, as the card is swiped the Point of Sale (POS) card reader obtains the data it needs from the magnetic strip on the back of the card. Typically this will be the PAN and perhaps the Expiration date.
For a typical online purchase neither the customer nor their card is physically present. This is the "Card-Not-Present" situation. In this situation the customer reads the PAN, Expiration Date and CCV2 values from the surface of their card and enters them into an online order form. So for an online purchase--the magnetic strip is not used at all--only the data either printed or embossed on the card is used.
3. Why is some of the data printed on the card and some of it stored in the magnetic stripe?
The CCV2 is used to help prevent fraud in "Card-Not-Present" transactions by helping to verify that the customer actually has physical possession of the credit card and not just a stolen credit card number. This is because the CCV2 value is never stored on the magnetic stripe of the credit card (even in encrypted form) it is only present on the surface of the card. (Visa U.S.A. Inc., 2007).
So if magnetic strip Track Data is stolen (as it was at Hannaford Brothers) the thieves would not have the CCV2 values for the stolen card numbers and thus would not be able to use the stolen cards numbers for online purchases. This limits the types of fraud that can be done using stolen track data-which is exactly the purpose of the CCV2.
4. Describe the credit card authorization process and the entities involved.
In a card-present situation like Hannaford Brothers, credit card authorization happens in real-time while the customer waits. When the card is swiped the POS terminal reads the primary account number from the magnetic stripe on the card and sends this (through the store system) on to the merchant bank for permission to proceed with the transaction. The merchant bank sends the number to the card organization and receives an authorization to proceed. Typically the only data needed from the customer card is the PAN and is most commonly read from Track 2 of the magnetic stripe.
The Fraud Dimension
This dimension probably lends itself to a single group of students working on it. No particular major is required, although accounting and finance students might be particularly interested in learning more about financial fraud. An important objective of this case is to illustrate why criminals perpetrate data breaches--which is to use the stolen data to commit fraud. Although this seems fairly obvious, in the process of answering these questions the students will get a clear view of exactly how criminals convert stolen card data into cash. In addition to learning the how of fraud, students will also explore what type of data criminals need to do what type of fraud. Different types of stolen data are required to commit different types of fraud--some are certainly more valuable to criminals then others. Understanding this will hopefully get students thinking about taking a finer look at the data their organization may collect and use.
5. How does the type of data stolen determine the types of fraud it can be used for and in what settings?
The case describes three types of fraud: Credit Card fraud, Account Takeover Identity Theft and True Name Identity Theft. Both types of Identity theft start with stolen personal identifying information, such as Social Security Number, Name, Address, etc... If the stolen data does not include this type of personal identifying information then it cannot be the basis of Identity theft fraud.
Credit card fraud, however, does not require personal identifying information; it simply requires a stolen primary account number. With simply a PAN the criminal will probably be limited to fraud in a card-present setting. This can be done by creating a counterfeit card with the stolen PAN embossed on the outside of the card and stored in Track 2 of the magnetic stripe. The counterfeit card can then be used to purchase items for re-sale, to purchase items that can be returned for cash, or to purchase gift cards--which can then be sold or used to purchase items. Since the criminals have to be physically present when committing this type of fraud, it is a high risk for the criminals.
Credit card fraud in a card-present situation is a high risk crime. It is much less risk for the fraud perpetrator if they can do their fraud over the Internet, rather than in a face-to-face setting. A card-not-present credit card fraud scenario would typically involve the criminal fraudulently using credit card data to make purchases from an online site. Since they make this order online, it is much less risk to the criminal and so much more attractive. But websites should require online buyers to enter the CCV2 value in additional to the PAN and expiration date. The CCV2 value is not stored on the magnetic stripe of payment cards, so if the thief has managed to steal track data (as in the case of Hannaford Brothers) they will not have the CCV2 values needed to make illegal purchases on the Internet.
6. What type of fraud could the stolen Hannaford Brothers data be used for? What could it not be used for?
Since only Track 2 data was stolen from Hannaford Brothers, the type of fraud it could be used for is card-present credit card fraud--the least attractive and highest risk to criminals. The stolen Hannaford Brothers data could not be used for either of the types of Identity Theft (Account Takeover and True Name), nor could it be used in Card-Not-Present credit card fraud.
The limited fraud options available using the stolen Hannaford Brothers data could be one explanation for the huge difference between the number of credit cards compromised and the actual number of credit card fraud cases reported. While over four million cards were potentially stolen, only 1,800 cases of credit card fraud were reported. So only a very, very small percentage of the stolen Hannaford Brothers customer cards were actually used to commit fraud.
It might be interesting at this point in the class discussion to point out that very often the people stealing the card information are not the same people who are using the stolen information to commit fraud. These two groups may be part of the same criminal organization or they may not. There are a number of websites available for criminals who have stolen data to sell it to other criminals who will use it for fraud. A fascinating article describing these websites is "Data Breaches: What the Underground World of 'Carding' Reveals" (Peretti). This could certainly be a topic for a small group to explore and relate to the class.
The Data Theft Dimension
This is the dimension that lends itself to a more technical exploration. Students who are CIS, MIS, or CS majors or who just have a strong interest in computer technology would be ideally suited to explore this dimension. If there are enough students for two groups, they could be divided to explore how the data was stolen and the PCI standard. Although the case sketches out the key details of how the data was stolen, a more in depth explanation perhaps would likely benefit all students.
A key point for this dimension is that there is no evidence that Hannaford Brothers was negligent in protecting its customer's payment card information. Their approach to security was considerably more thorough than many retailers (ironically, this system was featured in a 2005 Computerworld article as an example of a new, modern POS) (Hoffman, 2005). The questions of how the data theft occurred provide the foundation for understanding the relevant PCI standard requirement and the fact that Hannaford Brothers was in PCI compliance at the time of the data breach. It is particularly ironic that the day the data breach actually began was the same day that Hannaford Brothers was re-certified as PCI compliant.
For the purposes of this case it is really only the PCI standards having to do with securing and protecting customer card data that are most relevant. But the PCI standard document is probably quite accessible to more technical students, so one possible additional exploration is to have a student group do an overview of the entire standard. Regardless of how in depth the standard is explored, a clear learning objective is that--as Hannaford Brothers illustrates--just because your company meets industry security standards doesn't mean that you are immune to criminals trying to steal your data.
7. How was the data stolen in the Hannaford Brothers data breach?
The data was stolen from each of the Hannaford Brothers grocery store in the process of credit card authorization. In each of the stores was one server which received authorization data from the multiple Point of Sale (POS) terminals in the store. When the customer swiped their card at a POS terminal, the Track 2 data from the customer card (the PAN and possibly the expiration date) was transmitted from the POS terminal to the store server and then from the store server out to the bank responsible for authorizing the transaction. This authorization was sent back to the store server which then sent it back to the POS terminal and (assuming authorization was successful) allowed the customer to complete the purchase transaction. This process happened each time a customer swiped their card to make a purchase and happened in real-time while the customer waited.
The criminals were able to steal this data while it was moving through this authorization process (in-transit) by inserting a malware program onto the store server. This malware program was probably a customized packet-sniffing program which was able to read all the packets of data coming to the server, identify the ones containing track 2 data and store that stolen data in a temporary file on the server. The malware then regularly connected to a site outside the United States and sent all of the stolen data to that site.
8. Hannaford Brothers described the cause of their data breach as a new and novel approach. Why?
This data theft approach was unusual for a number of reasons--the first of these is the operating system of the computer the malware ran on. Currently close to 90% of the computers in the world use a Microsoft Operating system (Keizer, 2008). However the malware that stole the data from Hannaford Brothers was designed to run on a computer running the Linux operating system. Although Linux is widely used as a server OS, currently less than 1% of non-server machines run Linux and thus there has been little financial incentive for malware writers to create malware for Linux. This has led some to the conclusion that this malware was custom written to target Hannaford Brothers system. The uniqueness of this malware is also reflected in how difficult it was to find and indentify by the computer forensic team. It took a thirty person team of Secret Service and other computer forensic experts--working around-the-clock--over a week to find this malware program.
Another unusual aspect of this malware is that the criminals were able to place it on over three hundred store servers distributed from Maine to Florida. Speculation about how this was done ranges from an inside job, to malware that moved from one server to the next until it was on all of the servers. But neither Hannaford Brothers nor the Secret Service has publicly detailed how this was achieved and it is possible that neither know.
A final unusual aspect of this data breach is that the data was stolen in-transit during the authorization process. A more typical approach used by criminals is to target databases containing credit card data "at rest", i.e., stored in a database--possibly during the daily batching process step. A Gartner report states that the Hannaford Brothers data breach was the first publicized case of sensitive card authorization data being stolen in transit (Litan, March 20, 2008).
9. Describe the PCI standard requirements that are most relevant to the Hannaford Brothers breach. Was Hannaford Brothers in compliance with these requirements?
The PCI Data Security Standard objective that is most relevant to data breaches is: Protect Cardholder Data. Under this objective are two requirements: Requirement 3 Protect stored cardholder data and Requirement 4--Encrypt transmission of cardholder data across open, public networks. In the Hannaford Brothers data breach the thieves did not target any database of cardholder data (data-at-rest) instead it targeted the credit card authorization data as it moved through the store server (data-in-transit) as part of the authorization process. Therefore, DSI requirement 4 would seem to be most relevant.
The authorization data that the Hannaford Brothers thieves stole in-transit was not encrypted--so it would seem that the requirement 4 was not met. But the requirement specifies only open, public networks. The examples it gives are the Internet, wireless technologies, Global System for Mobile communications and General Pack Radio Service. The PCI requirement does not say that cardholder data must be encrypted as it moves around a private, store network--which was exactly where the Hannaford Brothers data was stolen. Therefore, Hannaford Brothers did not violate this requirement of the PCI Data Security Standard.
In fact, Hannaford Brothers does not appear to have violated any of the PCI standards. This is shown by the fact that Hannaford Brothers was re-certified as PCI compliant on February 27, 2008--the same day that the data breach was discovered. Obviously neither Hannaford Brothers or the security auditors knew early on February 27 that a data breach had begun, but this ironic twist provides a particular highlight on the fact that meeting industry security requirements (in this case the PCI DSS) is no guarantee that your organization is immune from hackers trying to steal your data. Hannaford Brothers is an example of a company that seemed to be doing the right things, was in compliance with industry security standards and still was hit by a massive data breach caused by criminals.
The Lawsuit Dimension
The description of the lawsuit in this case is brief. It conveys the bare essentials but if there are students interested in exploring this dimension, there is a great deal of interesting work to be done. A group of students could certainly do a much more in-depth exploration of question eleven and highlight the plaintiff's specific accusations and the judge's response to them. In addition, a group could compare this case with one of the other high profile data breaches of 2008--TJ Maxx. The structure of this case provides an excellent foundation for understanding the TJ Maxx data breach and why that data breach led to hundreds of millions of dollars in consequences for the organization, while the Hannaford Brothers class action suit was dismissed before even going to trial.
10. In their public statements about the data breach, why did Hannaford Brother emphasize that no personal identifying information had been compromised?
As discussed in the Fraud section of these notes, stolen personal identifying information (PII) can be used for Identity Theft. However if only credit card numbers are stolen--and not PII--then criminals are limited to credit card fraud rather than identity theft. Since the stolen data could not be used for identity theft, Hannaford Brothers maintained that identity theft disclosure laws did not apply to this data breach. Their position was that they voluntarily decided to disclose this data breach, they were not legally required to so. This position seems to have been supported by the subsequent lack of lawsuits based on state identity theft laws from customers, states, the FTC or the Department of Justice.
Although it is outside the scope of this case, it is interesting to note how different this is from the array of lawsuits that TJ Maxx experienced after its data breach and which led to hundreds of millions of dollars in expenses. For more legally oriented students it would be very interesting to explore how different the consequences of data breaches were for Hannaford Brothers and TJ Maxx and why they were so different. There would be some interesting and valuable insights into how the consequences of data breaches can vary hugely depending on crucial questions concerning the exact nature of the stolen data and how well the company was judged to have protected it.
11. Although Hannaford Brothers compromised payment card data for over four million customers, the Maine district course judge dismissed the class action suit before it could go to trial. Why?
Because the stolen data could only be used for credit card fraud, not identity theft, the customers who were victims of fraud were reimbursed by their banks. Therefore the losses the customers experienced were not monetary but instead more along the lines of time and inconvenience. The judge ruled that this inconvenience and lost time did not meet Maine's definition of an injury that could merit a legal claim. Therefore the judge dismissed that class action lawsuit. The one exception to this was the one customer who claimed not to have been reimbursed by their bank. The judge ruled that this and only this customer could continue with their lawsuit against Hannaford Brothers.
12. Did negligence by Hannaford Brothers lead to the data breach? Why or why not?
Although it is natural to want Hannaford Brothers to be at fault for having millions of their customer credit card data stolen, it's hard to really find negligence on their part. They were meeting industry security standards (PCI DSS) at the time of the breach. They were using a modern, up to date point of sale system for which they actually received accolades from the technical press (Hoffman, 2005). The malware that was the source of data breach was far from typical and appeared to be custom written to target Hannaford Brothers. It was not one of the many well-known malware programs that can be easily detected and stopped with off-the-shelf anti-virus software. In fact, the malware was so unique it took a large team of experts weeks to find it, even once they knew that some type of data breach must have occurred. As covered in an earlier question, the malware really was--as Hannaford Brothers stated to the press--new and novel.
Although the responsibility of maintaining the integrity of its customer's data is Hannaford Brothers, there doesn't appear to be any negligence on their part that led to the data breach. Instead it appears that they were the victim of a targeted, sophisticated criminal attack that was successful despite a level of security which was quite likely higher than the majority of retail organizations at the time.
EPILOGUE
On August 17, 2009 three individuals were indicted for conspiring to commit the largest data breaches of 2008 (Gaudin, 2009). One of those data breaches was Hannaford Brothers.
REFERENCES
Bank of America. (2008). Card Processing Basics. BankOfAmerica.com, Retrieved July 1, 2009, from http://www.bankofamerica.com/ small_business/merchant_card_processing/ index.cfm?template=card_processing_basics.
Claburn, T. (2008, April 1). Hannaford Data Breach Blamed On Malware. Information Week, Retrieved July 1, 2009, from http://www.informationweek.com/news/security/ showArticle.jhtml?articleID=207001073.
Gallagher, N. (2008, March 20). Data stolen from Hannaford during transit. Portland Press Herald Maine Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/story.php?id=176693.
Gaudin, S. (2009, August 17). Three indicted for hack attacks on Heartland, Hannaford. Computer World, Retrieved August 19, 2009, from http://www.computerworld.com/s/article/9136737/ Three_indicted_for_hack_attacks_on_Heartland_Hannaford.
Hench, D. (2008, April 6). Much remains a mystery in analysis of Hannaford security breach. Portland Press Herald Maine Sunday Telegraph , Retrieved July 1, 2009, from http://pressherald.mainetoday.com/ story.php?id=179920&ac=.
Hoffman, T. (2005, January 21). Grocer rings up savings with Linux cash registers: Hannaford says the new POS systems boost productivity. Computerworld, Retrieved July 1, 2009, from http://www.computerworld.com/softwaretopics/software/apps/ story/0,10801,99344,00.html.
Kaplan, D. (2008, April 2003). After breach, Hannaford details IT security remodel. SC Magazine, Retrieved July 1, 2009, from http://www.scmagazineus.com/After-breach- Hannaford-details-IT-security-remodel/article/109341/.
Kaplan, D. (2008, April 1). Hannaford tells regulators how breach happened. SC Magazine, Retrieved July 1, 2009, from http://www.scmagazineus.com/Hannaford-tells-regulators- how-breach-happened/article/108569/.
Kerber, R. (2008, March 28). Advanced tactic targeted grocer. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/news/local/articles/2008/03/28/ advanced_tactic_targeted_grocer/.
Kerber, R. (2008, March 18). Grocer Hannaford hit by computer breach. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/business/articles/2008/03/18/ grocer_hannaford_hit_by_computer_breach.
Kerber, R. (2008, March 30). Hannaford case exposes holes in law, some say. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/business/articles/2008/03/30/ hannaford_case_exposes_holes_in_law_some_say/.
Krebs, B. (2009, April 15). Glut of Stolen Banking Data Trims Profits for Thieves. The Washington Post, Retrieved July 1, 2009, from http://voices.washingtonpost.com/securityfix/2009/04/ glut_of_stolen_banking_data_tr.html.
Krebs, B. (2008, May 14). Three Charged With Hacking Dave & Buster's Chain. The Washington Post, Retrieved July 1, 2009, from http://voices.washingtonpost.com/securityfix/2008/05/ three_charged_with_hacking_dav.html.
Liberty Alliance Project. (2005). Identity Theft Primer.
Litan, A. a. (March 20, 2008). Hannaford Case Shows Need for End-toEnd Card Data Security. Gartner Inc.
Maxwell, T. (2009, April 2). Judge to decide if Hannaford data breach should go to trial. Portland Press Herald Main Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/story.php?id=248452.
Maxwell, T. (2009, May 13). Judge tosses all but one Hannaford data breach claim. Portland Press Herald Maine Sunday Telegraph , Retrieved July 1, 2009, from http://pressherald.mainetoday.com/ story.php?id=256153&ac=PHbiz.
McGlasson, L. (2008, April 4). Hannaford Data Breach May be 'Tip of the Iceberg'. BankSecurity.com, Retrieved July 1, 2009, from http://www.bankinfosecurity.com/ articles.php?art_id=810.
Naraine, R. (2008, March 28). Targeted Malware Used in Hannaford Credit Card Heist. Eweek, Retrieved July 1, 2009, from http://www.eweek.com/c/a/Security/Targeted-Malware-Used-in- Hannaford-Credit-CardHeist/?kc=EWKNLSTE040108STR5.
PCI Security Standards Council. (2008). Payment Card Industry (PCI) Data Security Standard, Version 1.2. PCI Security Standards Council.
PCI Security Standards Council. (2008). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures Version 1.2. PCI Security Standards Council.
Pereira, J. (2008, March 18). Chains Report Stolen Card Data. Wall Street Journal, p. B. 4.
Pereira, J. (2008, March 31). Corporate News: Data Theft Carried Out On Network Thought Secure. Wall Street Journal, p. B4.
Sharp, D. (2008, March 17). Hannaford supermarket chain reports data breach. The Boston Globe, Retrieved July 1, 2009, from http://www.boston.com/business/articles/2008/03/17/ hannaford_supermarket_chain_reports_data_breach/.
United States Government Accountability Office. (2007, June). Personal Information: Data Breaches are Frequent, but Evidence of Resulting Identity Theft Is Limited; However the Full Extent is Unknown. GAO Report, pp. 13-14.
Verizon Business RISK team. (2009). 2009 Data Breach Investigations Report. Verizon.
Vijayan, J. (2008, March 20). Hannaford hit by class-action lawsuits in wake of data-breach disclosure. Computerworld, Retrieved July 1, 2009, from http://www.computerworld.com/action/ article.do?command=viewArticleBasic&articleId=9070281.
Vijayan, J. (2008, April 28). Paying breach bill may not buy Hannaford full data protection. Computerworld, Retrieved July 1, 2009, from http://www.computerworld.com/action/article. do?command=viewArticleBasic&articleId=317307.
Visa U.S.A. Inc. (2007). Rules for Visa Merchants--Card Acceptance and Chargebck Management Guidelines. Visa U.S.A. Inc.
Wickenheiser, M. (2008, April 23). In wake of breach, Hannaford steps up security. Portland Press HeraldMain Sunday Telegraph, Retrieved July 1, 2009, from http://pressherald.mainetoday.com/story.php?id=183271&ac=&pg=1.
Wikipedia. (Viewed: June 22, 2009). Magnetic Stripe Card. http://en.wikipedia.org/wiki/Magnetic_stripe_card.
Danial L. Clapper, Western Carolina University
