Hannaford Bros — point-of-sale card breach

What happened

On 17 March 2008, Hannaford Bros. — a supermarket chain operating approximately 280 stores across the north-eastern United States — disclosed that attackers had installed malware on its point-of-sale systems and stolen approximately 4.2 million credit and debit card numbers. The malware had been running across Hannaford’s store network from approximately December 2007 until it was discovered in February 2008, a period of roughly three months.

The breach was notable for two reasons that distinguished it from the TJX and Heartland incidents that bracketed it in time. First, Hannaford was PCI-DSS compliant at the time of the breach — it had been audited and certified under the payment card industry’s security standard, and it had passed. Second, it was not storing card data: the standard criticism levelled at TJX (excessive data retention after transaction completion) did not apply to Hannaford. The company had followed the rules as written. It had been breached anyway.

The reason was that the attackers had found a category of risk the existing rules did not adequately address: the card data present in process memory on the terminal during active transaction handling. That data, however briefly, exists in plaintext. The malware captured it there.

Albert Gonzalez and co-conspirators were indicted for the Hannaford breach as part of the broader set of prosecutions covering TJX, Heartland and related intrusions. Gonzalez was sentenced to 20 years in federal prison in 2010.

How it worked

The Gonzalez crew gained initial access to Hannaford’s network through means that were not fully detailed in public court proceedings. Investigators assessed that the attackers compromised servers in Hannaford’s network — likely leveraging an internet-facing entry point or a compromised third-party connection — and then moved laterally to reach the systems managing point-of-sale operations.

The malware installed on the POS systems implemented what became known as RAM scraping or memory scraping. The technique exploits the fact that when a payment card is used at a terminal, the full card-track data — track 1 and track 2 magnetic stripe contents, including primary account number, expiry date, and in some implementations the service code and discretionary data — must be present in the system’s working memory for the fraction of a second during which the terminal formats the authorisation request. If the card data is encrypted before being sent to the acquiring bank, it is encrypted at the point of leaving the terminal or the local network; inside the terminal and the immediate processing environment, it briefly exists in plaintext.

The Hannaford malware sat resident in the POS system processes and polled memory regions associated with card processing at high frequency. When the characteristic data patterns of a card number appeared in the monitored memory, the malware captured them and staged them for later exfiltration. This happened for every card transaction across all affected stores, continuously, for three months, without triggering any of the monitoring or detection capabilities Hannaford had in place — capabilities sufficient to pass a PCI audit.

The exfiltration path ran from the store systems through Hannaford’s wide-area network to an external server. The stolen card data was encoded onto blank plastic cards for use in fraudulent in-store and ATM transactions, following the same monetisation pipeline Gonzalez’s crew used for TJX cards.

An important technical point: only 1,800 of the 4.2 million stolen card numbers were subsequently confirmed as used fraudulently before banks began cancelling and replacing them. This reflects the speed of the incident response and card-replacement process rather than any limitation on the stolen data’s usability — the cards were stolen and valid; the race was between the criminals’ ability to encode and use them and the industry’s ability to identify and cancel them.

Timeline

• Late 2007 — Gonzalez crew gains access to Hannaford’s network. Entry vector not confirmed publicly. RAM-scraping malware installed on POS systems across the Hannaford store network.
• December 2007 – February 2008 — Malware operates continuously across approximately 300 Hannaford stores, capturing card-track data from transactions in real time. Estimated 4.2 million card numbers captured.
• February 2008 — Hannaford detects the breach through investigation of anomalous card-fraud reports from banks whose customers had shopped at Hannaford stores.
• 17 March 2008 — Hannaford publicly discloses the breach. Affected card-issuing banks begin cancellation and replacement programmes.
• May 2008 — Secret Service investigation establishes the technical details of the RAM-scraping technique and links the breach to the Gonzalez crew.
• 2009 — Gonzalez indicted specifically for the Hannaford breach as part of the combined indictment covering Heartland, TJX, 7-Eleven and related intrusions.
• March 2010 — Gonzalez sentenced to 20 years in federal prison.
• 2010–2013 — PCI DSS standards updated with enhanced guidance on in-transit card data protection. Point-to-point encryption (P2PE) standards developed by PCI SSC, specifying that card data should be encrypted within the terminal hardware before any system software can access it. P2PE effectively closes the RAM-scraping attack surface against compliant implementations.
• 2013 — RAM-scraping malware used in the Target breach (40 million cards) demonstrates that the technique remained viable against retailers that had not implemented P2PE.

What defenders should learn

The central lesson of the Hannaford breach — that PCI compliance is not the same as security — is one of the most important and most resisted in the payments industry. PCI-DSS defines a set of requirements that, when met, reduce the likelihood of certain classes of breach. It does not eliminate the likelihood. The standard reflects the understood attack surface at the time it was written; attacks evolve. Hannaford passed its audit and was breached anyway because the audit did not test for the specific technique the attackers used. This is not a failure of the standard per se; it is a demonstration that a compliance programme is a floor, not a ceiling, and that treating compliance as the definition of security leads to a false sense of assurance that leaves the organisation blind to controls the standard does not mandate.

The RAM-scraping technique the Gonzalez crew introduced at Hannaford had a clear structural solution: point-to-point encryption. P2PE specifies that card data is encrypted within the physical terminal hardware — at the hardware security module level — before it reaches any part of the software stack, including the operating system and application layer. An attacker who compromises the POS software, the application layer, or the network cannot capture plaintext card data because the plaintext never exists anywhere they can reach. P2PE was not a standard when Hannaford was breached; it became one in direct response to the RAM-scraping discovery. Retailers who adopted P2PE-certified implementations eliminated the attack class that defined not only Hannaford but also the later and much larger Target breach.

The network-access path that gave the attackers reach to Hannaford’s store POS systems from an internet-facing entry point is the second failure. POS systems should not be reachable from general enterprise network segments; they should reside in isolated network zones with defined and minimal connectivity — to the payment gateway and nothing else. The principle is the same one TJX illustrates: every point of entry to the store network is also a point of entry to the card-processing environment unless segmentation prevents the pivot.

The Hannaford breach also illustrates the value of monitoring what leaves the network rather than only what enters it. The malware operated for three months without detection by inbound-focused controls. An outbound data-exfiltration monitoring programme — watching for unusual volumes or patterns of outbound traffic from POS network segments — provides a detection layer that operates independently of signature-based malware detection and that might have shortened the three-month dwell time.