The attack represents a "new and sophisticated" attack on computer networks, the company told the Massachusetts attorney general and the state's consumer-affairs agency.

The Hannaford breach is notable because -- unlike the notorious breach of The TJX Companies in 2006 -- the company did not store the customer data. Rather, the hackers captured the stream of data as card information was sent to banks for verification.

Inside Job?

The scheme may have compromised 4.2 million cards used at the stores between Dec. 7 and March 10, the company said. About 2,000 cases of fraud have been linked to the Hannaford breach.

The Hannaford breach appears to have been a professional, sophisticated attack, said Andrew Storms, director of security operations at nCircle Network Security, in an e-mail. "The means by which the malware was introduced and the data extracted only furthers the speculation that Hannaford was victim to a sophisticated attack," he said. "We have further information in the last few days that indicate this may have been an inside job, which seems to nicely explain some of the bigger questions."

The questions include how was the malware introduced and why was the attack so successful? "For example, it's unlikely that an outsider would have had such an incredibly high success rate at distributing the correct malware to all the correct systems," Storms said.

Furthermore, writing sophisticated software to intercept credit-card information at the time of a card swipe means "an attacker would have needed to have some prototype systems in-hand first to develop and test the system prior to deployment," Storms said.

Lessons for CIOs

What are the lessons of the Hannaford breach for CIOs?

The event signals that exploits don't always originate on the outside, said Storms. "So many companies spend too much time fighting the attacker by building a fortress around their network with the idea that all risks are going to attack from a given direction. What you end up with is a network that's hard and crunchy on the outside, but gooey on the inside."

As for Hannaford, "a system which processes credit-card data unencrypted has no reason to have line of sight of the Internet," Storms said. "And if it must, then reduce the risk through mitigation strategies like content inspection, monitoring, log analysis and stricter controls on who can alter those systems."

Finally, Hannaford was compliant with the Payment Card Industry security standards, which specifies how companies are to build a secure network, protect cardholder data, manage vulnerability programs and other methodologies. How could a PCI-complaint enterprise suffer such a breach?

For one thing, Hannaford might have fallen out of compliance, Storms said. But even if it was complaint at the time of the breach, "PCI compliance is not a panacea. It cannot cover every aspect of every distinct merchant network," Storms said.