Hannaford grocerie stores last night!

If you shop at Hannaford, you might want to get a new debit card.





p.s. Not RP grassroots, but very deffinitely is revolution grassroots.
...On second thought, this can be an example to what having a
RealID card can happen, but on an even bigger scale.

shhhhhhhhhhhhhhhhhhhitttttttttttttttt

do you have a source?

http://www.reuters.com/article/domesticNews/idUSN1763656820080317

Credit card data stolen from supermarket chain

BOSTON (Reuters) - A computer hacker stole thousands of credit card numbers after breaching security at two U.S. grocery store chains owned by Belgium-based Delhaize Group SA, the companies said on Monday.

Nearly 2,000 cases of fraud have been linked to the breach, but no personal information such as names or addresses was accessed when the hacker broke into the Hannaford Bros. stores in Massachusetts, New England and New York, and Sweetbay customers in Florida, Hannaford said in a statement.

Boston's WBZ radio said 4.2 million credit and debit card numbers were stolen. Company officials were not immediately available to confirm the number of stolen card numbers.

Hannaford, headquartered in Scarborough, Maine, said it became aware of unusual credit card activity on February 27 and began an investigation. It said the data was illegally accessed during the credit card authorization process.

Hannaford Chief Executive Ron Hodge offered an apology for the intrusion. There are 165 Hannaford stores in the U.S. Northeast and 106 Sweetbay supermarkets in Florida.

"We sincerely regret any concern or inconvenience this has caused," Hodge said in a statement. "We have taken aggressive steps to augment our network security capabilities."

The breach is the latest at a big U.S. retailer and comes after U.S. retail group TJX Cos Inc disclosed last year that data from 45.7 million credit and debit cards were stolen by hackers over a period of 18 months, as well as personal information for 451,000 people.

A group of banks later asserted in court documents that the number of consumer accounts were affected was closer to 94 million, a charge Massachusetts-based TJX denied.

(Reporting by Jason Szep)

http://ap.google.com/article/ALeqM5ipET-mkUFMHvZNMr5WJkcg82NHIwD8VFFLS00

4.2 million? damn

Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn't contained until March 10, said Carol Eleazer, Hannaford's vice president of marketing in Scarborough. shouldnt they have stopped using credit card transactions somewhere in there?

call me a conspiracy theorist but I can't help but
wonder if any of this is intentional by... they!

call me a conspiracy theorist but I can't help but
wonder if any of this is intentional by... they!

"They" will certainly use this event to push for a Read ID with a built in credit payment system based on Biometric identification. RFID chips and a GPS tracking system.

well no names were with it so a number alone isn't too useful for a half decent online merchant to be aware of

probably the Chinese

A few years ago the major card companies developed CISP which made a company liable for fines of 10K PER CARD taken out of any database of stored card info. In order to store any credit card info you have to have a yearly, and pricey, audit.

I can only guess they forgot to do this, or their audit company sucks at detecting flaws in a setup.

A few years ago the major card companies developed CISP which made a company liable for fines of 10K PER CARD taken out of any database of stored card info. In order to store any credit card info you have to have a yearly, and pricey, audit.

I can only guess they forgot to do this, or their audit company sucks at detecting flaws in a setup.

Well I work in the computer industry and know VISA has a requirement and any CC information stored must be encrypted with at least 128-bit methods. (I use 256-bit AES, why the heck not).. So I'm wondering if the data that was stolen was actually encrypted and there's nothing much to worry about.. either that, or there were some serious f'ups. But they do happen. A client of mine recently gave us a copy of their database that has about 100,000 unencrypted CC#'s. First thing I did was delete that table, I want nothing to do with that if it got stolen from me! :)

I read that the weakness in the system is in the transport of the data. Many banks will have great security systems but then send back up magnetic tapes via Fed Ex or UPS. Of course people can tell from the package that there is a large mag tape inside.

That is what they steal and then get the CC numbers from there. The banks are too cheap to hire an armored truck to transport backup database tapes.

I read that the weakness in the system is in the transport of the data. Many banks will have great security systems but then send back up magnetic tapes via Fed Ex or UPS. Of course people can tell from the package that there is a large mag tape inside.

That is what they steal and then get the CC numbers from there. The banks are too cheap to hire an armored truck to transport backup database tapes.

Still, you would think that the data on the tape would be encrypted..

Hannaford grocerie stores last night!

If you shop at Hannaford, you might want to get a new debit card.





p.s. Not RP grassroots, but very deffinitely is revolution grassroots.
...On second thought, this can be an example to what having a
RealID card can happen, but on an even bigger scale.


Never even heard of them. I thought the entire Country shopped at Walmart, Kroger, Safeway and Albertsons....

It's worse than that article outlines.
http://tinyurl.com/27dz7w
Hannaford first became aware of unusual credit card activity on Feb. 27. Investigators later discovered that the data breach began on Dec. 7. It wasn't contained until March 10, Eleazer said.
...
The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it's investigating. New Hampshire Attorney General Kelly Ayotte said her office was notified of the breach yesterday.
She stressed that the Secret Service's involvement could have been reason for the delay.

"It's important that companies notify us as soon as they are aware of a breach, because time is of the essence," Ayotte said. "The best protection consumers have is to check their own statements. That's when time becomes obviously important."
...
Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, criticized the delay in public notification of the source of the breach. Visa and MasterCard promise retailers they will not divulge who the source is when a data breach occurs, Spitzer said.

For a couple of years, bankers have tried to change the rule.

"Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer," he said.

call me a conspiracy theorist but I can't help but
wonder if any of this is intentional by... they!

FIGHT CLUB? :D
probably they are giving an excuse to resist Real ID . :rolleyes:

Still, you would think that the data on the tape would be encrypted..

agreed. I found myself questioning just exactly how if encrypted these so called hackers plan to do anything unless of course with every card swipe, our data is stored unencrypted on the stores database in which consumers should be able to sue for not being aware that their information that could be compromised was being stored in the first place.

Never even heard of them. I thought the entire Country shopped at Walmart, Kroger, Safeway and Albertsons....

If you thinks that's weird, this will blow your mind...












I don't think that there are any Safeways OR Albertson's here on the East Coast! :eek:

If you thinks that's weird, this will blow your mind...












I don't think that there are any Safeways OR Albertson's here on the East Coast! :eek:

There has to be an agenda behind this article. I'm wondering if it has to do with what you just mentioned.

agreed. I found myself questioning just exactly how if encrypted these so called hackers plan to do anything unless of course with every card swipe, our data is stored unencrypted on the stores database in which consumers should be able to sue for not being aware that their information that could be compromised was being stored in the first place.



rarely are corporate DB's encrypted.....access points/POS are firewalled, and encrypted for transport to the DB. But once the data is actually stored, it's usually in a very simple format. There is no simple usable system that I am aware of for DB's where everything is 100% encrypted, it's just not practical to decrypt each time to call on a single stream of data. Also magnetic tapes are dinosaurs, and probably being phased out anyway, but if they are in transport/ups it is highly unlikely that any of the source files are encrypted.

Not to worry... the Real ID will protect us.

rarely are corporate DB's encrypted.....access points/POS are firewalled, and encrypted for transport to the DB. But once the data is actually stored, it's usually in a very simple format. There is no simple usable system that I am aware of for DB's where everything is 100% encrypted, it's just not practical to decrypt each time to call on a single stream of data. Also magnetic tapes are dinosaurs, and probably being phased out anyway, but if they are in transport/ups it is highly unlikely that any of the source files are encrypted.

Thats why magnetic tapes are tempting targets I guess.

Don't expect the Social Security Administration or other agencies to protect your data either.

A company hired by these agencies, US Protect Corp just got into big trouble.


Security since 9/11.

"Hudec had four prior felony fraud convictions and was released from federal prison in 2001, yet was able to broker more than $150 million in federal contracts from 2001 to 2004."

He won contracts to protect the Social Security Administration, FBI and Air Force facilities.

http://www.washingtontimes.com/article/20080319/NATION/3627671

I read that the weakness in the system is in the transport of the data. Many banks will have great security systems but then send back up magnetic tapes via Fed Ex or UPS. Of course people can tell from the package that there is a large mag tape inside.

That is what they steal and then get the CC numbers from there. The banks are too cheap to hire an armored truck to transport backup database tapes.

This is a bit of tangent so I'll need to ask you to bear with me.

From what I read about SSL's flaws is that SSL was a great solution for problem that didn't even exist. See, the threat model they used for SSL was to assume that two endpoints were clean while the line is not safe. Therefore, they try to establish that the endpoint are the endpoint that we think it is then encrypt the transportation in between.

But the real problem is that SSL does nothing to stop a trojan horse on your computer from logging the keypresses when you enter in that sensitive information. So it fails miserably when we consider how easy it is to infect a computer and especially that endpoint is much more likely to be dirty than the line itself.

The point is that several solutions out there aren't always the correct solutions to the problem; they may be the right answer for a problem that doesn't even exist, but that doesn't make that solution a real solution. Kind like answering a math question with the solution from previous math question, really.

So I wonder whether this was the case with Hannaford- their security was foolproof for a entirely wrong model?

http://www.youtube.com/watch?v=ZQUvySJeLdI

I'm in the security business and I deal with some of the more nasty threats that exist in the wild. There are tons of ways to rip people off. Either by ATM, Social Engineering or even by hacking DB's. Doesn't everyone remember when TJ Max was hacked several years ago. Millions of peoples information compromised.

Unfortunately, information such as this is now all to common to even be considered news any longer.

Now it looks like the passport database has been breached or hacked.

http://www.abcnews.go.com/Politics/Vote2008/story?id=4492773&page=1

I can't feel sorry for Hillary, because she got 1000 FBI files sent to her office.

Gee, I can't wait for our medical records to go online, now everybody will be able to look at them.

just got a new card and the expiration date is 09/11 :eek:




>