Shostack + Friends Blog Archive

 

Hannaford: 4.2 million card #s potentially exposed

Hannaford says the security breach affects all of its 165 stores in the
Northeast, 106 Sweetbay stores in Florida and a smaller number of
independent groceries that sell Hannaford products. The company puts the
number of unique credit and debit card numbers that were potentially
exposed to fraud at 4.2 million.
The company is currently aware of about 1,800 cases of reported fraud
related to the security breach.
The Massachusetts Bankers Association said one-third of its 200 member
banks have been contacted by Visa and MasterCard about the problem.

WMUR.com, via Dataloss
If I am an independent grocer who sells Hannaford products, how does a Hannaford breach expose my customers’ card numbers? Do independent grocers report purchases to their suppliers, including the card numbers used to make those purchases? Do these smaller groceries outsource their POS activities to a large supplier (i.e., Hannaford)?
Update: I read at MSNBC.com that the card numbers were revealed during the authorization process. This jibes with the “outsourced POS” (as I sloppily use the term) theory. I need to review the details of “card present” authorization to understand this better, but my immediate thought was man-in-the-middle.