Secretly Installed Software Stole Grocery-Store Customer Data

Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida enabled the massive data breach that compromised up to 4.2 million credit and debit cards, the company said Friday.

The Scarborough, Maine-based grocer confirmed a report in The Boston Globe that it told Massachusetts regulators this week about the link between the breach and the illicit programs, known as "malware."

The company doesn't know how the malware — short for malicious software — got onto nearly all its 271 stores' servers, Hannaford spokeswoman Carol Eleazer said.

"Virtually everything is possible," she said. "There are still many, many aspects that we don't totally understand."

• Click here to visit's Cybersecurity Center.

At least 1,800 cases of fraud have been linked to the data breach, with unauthorized charges showing up as far afield as Mexico, Italy and Bulgaria.

The breach has prompted concern in the industry because it appeared to be the first large-scale theft of credit and debit card numbers while the information was in transit.

The usual mode of attack targets data sitting in databases, as in the record-setting theft of information from Massachusetts-based TJX Cos. involving least 45 million card numbers belonging to customers of T.J. Maxx and Marshalls stores.

TJX Cos. agreed to regular external security audits in a settlement this week with the Federal Trade Commission regarding the breach, which occurred in 2005 and 2006. The FTC lacks the authority to impose fines.

Sherry Lang, TJX's senior vice president for investor and public relations, said the company disagreed with the FTC's allegations that it didn't properly protect customer data. But she said the settlement "is consistent with the agreements between the FTC and other retailers that have been victimized by cyber crime."

A federal consumer lawsuit against TJX is pending in Boston.

Hannaford has said its breach, which occurred between Dec. 7 and March 10, allowed credit and debit card numbers to be stolen as shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

The malware turned up in all Hannaford stores in New England and New York and in most of the company's affiliated Sweetbay stores in Florida, Eleazer said.

The finding was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick's Office of Consumer Affairs and Business Regulation.

Eleazer declined to release a copy.

In Maine, Assistant Attorney General Linda Conti — who said she spoke with investigators — said the breach began as a single message sent to a single location that was then sent to multiple locations. She declined to discuss specifics.

Conti said her office is investigating whether the company did everything in its power to protect consumers.

Data from swiped cards would flow from the cash register to the store server, then perhaps to a regional server before being transmitted to a credit center for approval, said Avivah Litan, security analyst at Gartner Inc.

"It sounds like they were snooping on that traffic with malware," she said.

The involvement of the software had not been previously disclosed "because of the confidential nature of the investigation," Eleazer said. The breach remains under investigation by the U.S. Secret Service.

Even while the Hannaford hack was still going on last month, the company was found to be in compliance with security standards required by the Payment Card Industry, a coalition founded by credit card companies.