[Dataloss] Vermont ski area reports Hannaford-like theft of payment card data

[security curmudgeon]

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9074339

By Jaikumar Vijayan
April 2, 2008
Computerworld

In a security breach that sounds similar to the one disclosed by Hannaford 
Bros. Co. last month, the Okemo Mountain Resort ski area in Vermont 
announced this week that data from more than 46,000 credit and debit card 
transactions may have been compromised during a system intrusion over a 
16-day period in February.

Okemo said in a security advisory released on Monday that the breach may 
have affected customers who used their payment cards at the resort in 
Ludlow, Vt., between Feb. 7 and Feb. 22, the time frame when the intrusion 
took place. The intruder or intruders may also have accessed data from 
card transactions processed between January and March 2006, according to 
the advisory.

Bonnie MacPherson, a spokeswoman for Okemo, said today that at least some 
of the data appears to have been stolen as the recent payment card 
transactions were being authorized. "We can tell you that this was a 
real-time theft," McPherson said. "The information was being taken as the 
cards were being swiped."

If that is actually the case, it could make the breach at Okemo a close 
cousin to the much larger one announced by Hannaford on March 17. In the 
Hannaford breach, malware installed on servers in each of the Scarborough, 
Maine-based company's grocery stores intercepted card data as the 
information was being transmitted from point-of-sale systems to authorize 
transactions.

[..]