Delhaize cuts 2008 profit outlook

AMSTERDAM, July 18 (Reuters) - Belgian supermarket group Delhaize (DELB.BR: Quote, Profile, Research, Stock Buzz) cut its 2008 outlook on Friday due to weakening consumer confidence and spending, saying it saw net profit from continuing operations growing by 15-20 percent instead of 25-30 percent as earlier announced.

Revenues are expected to increase between 3 and 4.5 percent compared to between 4 and 5.5 percent as previously announced, while operating profit growth is expected to be flat to 3 percent compared with 6 to 8 percent previously.

"In the U.S. as well as in our European markets, consumers are changing their spending behaviour as a result of higher oil and food prices and the continued problems in the financial and real estate markets," Delhaize said in a statement.

It will report second-quarter results on Aug. 4.

Source: Reuters

Advanced tactic targeted grocer

A massive data breach at Hannaford Brothers Cos. was caused by a "new and sophisticated" method in which software was secretly installed on servers at every one of its grocery stores, the company told Massachusetts regulators this week.

The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.
The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation.

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.

In contrast, Hannaford says it did not store customer information. The hackers who struck Hannaford mined a stream of data that the merchant and banks were not responsible for protecting under industry rules, industry specialists said.

The Hannaford breach "was markedly more sophisticated," said Steve Rowen, a partner at Retail Systems Research of Miami, which does consulting work for merchants.

The Hannaford breach also poses worrisome questions for the payment industry as it struggles to tighten security. Hannaford, for example, had met compliance standards set by Visa Inc. and other card companies, but that did not stop the breach.

"Just because they are compliant, it doesn't mean they are safe," said Graham Cluley, technology consultant for Sophos Inc., a Burlington computer security firm. Card issuers and others need to find other ways to improve security, he added.

"Clearly, consumer confidence is being shaken by this constant stream of breaches," Cluley said.
Hannaford said in the letter that the problem potentially compromised the account numbers and expiration dates on all 4.2 million credit and debit card numbers used at its stores in six states between Dec. 7 and March 10, though the actual number taken may be smaller. Hannaford said it knows of about 2,000 cases of fraud related to the intrusion.

Hannaford's letter was sent by its general counsel, Emily D. Dickinson.

Dickinson wrote that an "illicit and unauthorized computer program" known as "malware" was installed on the servers of each of the stores the company operates in Maine, Vermont, New Hampshire, Massachusetts, and New York, plus at stores elsewhere, including the Sweetbay chain in Florida, that use its payment systems. Hannaford and Sweetbay are owned by Belgium's Delhaize Group.

The malware intercepted the "track 2" data stored on the magnetic stripe of payment cards as customers used them at the checkout counter, Dickinson wrote. This track includes the card's number and expiration date, but not the customer's name.

The data were taken "in transit for authorization from the point of sale," the letter states, meaning as it was transmitted from the cash register to one of the institutions that Hannaford uses to process transactions. Eleazer said these include major card networks and First Data Corp. of Denver, a major processor.

The malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider, the letter states. Foreign crime rings have been blamed in a number of other payment card fraud cases.

"Law enforcement officials and others report that the method of illicit acquisition is a new and sophisticated method in that it obtains data in transit during the course of the authorization process," the letter states.

Cluley said the software could have been installed remotely. This could have been accomplished through a breach of the company's firewall. Alternatively, the servers may not have been running the latest security patches, or may have had antivirus programs that weren't updated. Hannaford stated in the letter that it has replaced the hardware on which the malware was installed. Cluley said that could suggest a company insider or a technician for one of its vendors could have placed the code.

Executives of Visa Inc. of San Francisco, the largest payment card company, issued a statement yesterday saying it is working with Hannaford, banks, and law enforcement.

Hannaford said in its letter that it was certified a year ago as meeting card security standards and was recertified on Feb. 27. Eleazer said that was the day Visa first notified Hannaford of unusual card activity and began its investigation. That the standards did not stop the thieves, she said, "speaks to the increasing sophistication of the criminal element that propagates these attacks," she said.

Source: Boston.com

Hannaford Hit By Computer Breach

Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date.

The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency.

The intrusion is only the latest to strike a large retailer and comes amid growing scrutiny of the payments industry, which faces tough proposed rules on how customer information is handled. Concern over the issue crystallized last year following the theft of up to 100 million customer card numbers from Framingham retailer TJX Cos. Also last year, four men from Southern California received prison sentences after pleading guilty to US charges they stole payment information at checkout counters at Stop & Shop Supermarket Cos. stores in Rhode Island.

Hannaford, based in Scarborough, Maine, said compromised cards were used in transactions at all 165 stores it operates, plus transactions at 106 Sweetbay stores in Florida and 23 independently run stores that use Hannaford operating systems. Hannaford Bros. is owned by Belgium's Delhaize Group.

A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken. She said executives would not agree to be interviewed about what happened. In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization." No names or addresses were accessed in the intrusion, Hodge wrote, adding that the stolen data was limited to credit and debit card numbers and expiration dates.

What could make the Hannaford case unusual is that since last spring its stores have met industry standards regarding how customer data is stored and maintained, Eleazer said. Many other retailers victimized by breaches, including TJX, had been faulted for lax security. It's too soon to know whether Hannaford's case will warrant the consideration of further security reforms, said Ted Julian, vice president of strategy at Application Security Inc., a New York database services company.

Maine is among the majority of states that have passed laws requiring companies to notify consumers when data is lost or stolen, but Eleazer said Hannaford wasn't legally required to disclose the breach and only chose to do so yesterday once it had gathered enough information to be helpful to consumers. It is encouraging shoppers to monitor all payment card statements and to contact their card issuers or banks if questionable charges appear.

Banks have previously complained that Visa and MasterCard system rules put too many of the costs of dealing with data breaches on financial institutions. Yesterday, before Hannaford's disclosure, the Massachusetts Bankers Association said in a statement that up to 70 banks in Massachusetts had been warned by MasterCard and Visa of a data breach at a major retailer between Dec. 7 and March 10, but that the credit card firms had not named the retailer. Not long afterward, Hannaford came forward. A representative for Visa said executives wouldn't comment. A MasterCard spokesman didn't respond to questions.

Source: Boston.com