The dumb asses at Hannaford had a data breach

If you shop there with a debit or credit card, keep a close eye on your statements.


http://www.hannaford.com/Contents/News_Events/News/News.shtml

http://www.msnbc.msn.com/id/23678909

Needless to say I will shop at Shaws now, even if they have those cussed little cards.

By the way, here's the link to their contact information, which the links to which are suspiciously "down for maintenance:"

http://www.hannaford.com/Contents/Our_Company/Contact/index.shtml

866-591-4580

It's the regular customer service line but it isn't answered until 8:00. Now THAT's really responsive.

My only alternative is WalMart and I'm not about to go there!

But I gave up waiting. I'm sure they're swamped, maybe I'll give a few days for the call volume to drop. After all my information has been out there for about 3.5 months so a few more days might not matter (knock on wood.) I'm going to say goodbye to the debit card w/RFID and go back to the old ATM card. That is if they'll let me.

they say they have the hole plugged now. how that helps anyone who has already been comprised is beyond me. best thing to do is change cards.
are they responsible if someone uses your card? HA HA

Geee, would they have come forward otherwise?


I'm still not shopping at Shaws. I can't stand that supermarket, and our Hanni's is larger and better stocked than any other local store aside from Whole Paycheck.


I find this bit interesting:

I doubt it's a wifi exposure issue, as the card readers use wiring. If it affected so many stores (aka all of them) then it's not a secretly installed packet sniffing hardware at a single location.
That means most likely that a) all their credit card/debit card authorizations go through a single central point, some sort of authorization software package, most likely running on one or more servers at a single location (maybe in Scarborough) and b) that there was a single sniffing software package installed on that network. The good news is (sorta) is that this was probably not a database breach. That would indicate shoddy security practices indeed: both a remote exploit and poor database security. I wonder if this was a version of a man-in-the-middle exploit, with the exploit intercepting the authorization requests, passing it on to the real validating software and then returning the real response from the central system back, or if it was a simple packet sniffer.

What baffles me is that either way, this exploit had to either a) send the data back out onto the internet to a single remote site or to a zombie-exploit network (and re-broadcast to a moving central server) or b) someone was working on the inside to download the sniffed results to a storage medium of some sort and walk it out. Both indicate some serious security issues.

Either way, I'm pissed.

Edited: So it looks like it took them at least a week after they found they had a problem to fix it? Doesn't sound like a packet sniffer to me. They could just nuke that once they were aware of it. Not unless it was the most clever, distributed, self replicating son of a bitch ever. Maybe. Sounding more like some sort of clever man-in-the-middle attack.

that it took them to tell us there was a breach. With the info we have so far it sounds like it's very likely that this was at least partially the result of an inside job, possibly relying on access to internal unencrypted communications in one of the scenarios like you had described.

that tells you it was a highly sophisticated operation. standard security procedure would be to try and catch them. you can't do that without warning them your aware of the breach.
I'm sure the decision reached authorities long before it reached the customers.
what I wonder is who provided their secured system? and who or what changes are being made.
do they have any leads? will we the public ever know the outcome?
today Hanaford claims they only found out two weeks ago. and one credit union in maine says over 6,000 debit cards of theirs have been compromised.
I believe in this instance the public will not be responsible for any debt incurred fraudulently.
this tells you how inept homeland security really is.

very similar thought process on as maine goes; bonger and pmrsm worth reading.
use to earn a living reading and processing content.