Hannaford says malware planted on its store servers stole card data

Hannaford Bros. Co. disclosed this week that the intruders who stole up to 4.2 million credit and debit card numbers from the grocer's systems did so by planting malware programs on servers at each of its stores in New England, New York and Florida.

The malicious software was used to intercept the payment card data as the information was being transmitted from Hannaford's point-of-sale systems to authorize transactions, the company said in a letter sent to Massachusetts officials on Tuesday. The malware then forwarded the stolen card numbers as well as their expiration dates to an overseas destination, according to the letter, which was signed by Emily Dickinson, Hannaford's general counsel.

The discovery of the mass malware installation prompted a wholesale replacement of Hannaford's store servers. Dickinson's letter said that with help from the U.S. Secret Service and IT security vendors, the company has identified and replaced all of the affected hardware "and otherwise ensured that no versions of the malware remain anywhere on the company's systems."

The letter offered no explanation as to how the perpetrators might have gained access to each of the company's servers to plant the malicious code on them. Echoing separate comments by Hannaford officials, Dickinson wrote that the grocer was certified both last year and on Feb. 27 as being compliant with the Payment Card Industry Data Security Standard, or PCI.