According to this article Boston Globe Article: Advanced tactic targeted grocer.
A massive data breach at Hannaford Brothers Cos. was caused by a “new and sophisticated” method in which software was secretly installed on servers at every one of its grocery stores, the company told Massachusetts regulators this week.
The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach.
To me this raises a few questions. Where was File Integrity Monitoring (PCI 10.5.5) of the Store Servers ? Why didn’t this pick up any changes to the Store Servers ? Was it not monitored ? Was it not configured properly. Was the malware installed in a directory that wasn’t monitored by the File Integrity Monitoring software? How does software get installed on every one of its stores without detection. (Yes, that I understand that maybe no files where written to disk, and everything theoretical could done in memory – but the malware would have to run at higher privileges to sniff the network (exploit of an unpatched systems?) and there would need to be some type of outgoing network traffic (probably encrypted payloads to badguys sites.))
The data were taken “in transit for authorization from the point of sale,” the letter states, meaning as it was transmitted from the cash register to one of the institutions that Hannaford uses to process transactions. Eleazer said these include major card networks and First Data Corp. of Denver, a major processor.
When possible in OLS.Switch we don’t sent unencrypted card numbers in the message format from the POS to the switch , — from the switch to the endpoints (FDR, VISA DEX, MC Banknet) is a different story (as far as I know nothing other then a TCP/IP sockets when send data to the clear across a private network is supported. I would love to see channel encrypted tunnels here in the future. )