Hackers loaded malware onto servers at 300 stores to intercept card data stored on the magnetic stripe of payment cards as customer's used them at the check-outs of US supermarket giant Hannaford Brothers.
The information comes from a letter to regulators in which Hannaford gave details of progress in its investigation.
Data taken in transit from the point of sale, included card number and expiration date but not the customer's name. The attack resulted in card data being transferred overseas and has resulted in 2,000 known cases of fraud.
"It's an evolving situation," said a Hannaford representative, noting that the computer forensics reports have not yet been completed on the data-breach incident.
Hannaford's security investigators are calling the attack "sophisticated" and the company said the US Secret Service is also involved in finding out how the data breach occurred.
The attack was successful in spite of the fact that Hannaford is compliant with the Payment Card Industry rules for proving adherence to the PCI data security standards by undergoing an elaborate - and usually expensive - examination and certification required by card associations, including Visa and MasterCard.
PCI also has requirements for periodic vulnerability scans. Hannaford says it received PCI certification last year and was recertified on 27 February.
If the attackers in the Hannaford case initially captured data from the point-of-sale device to a server in the store, they may have known that data isn't required under PCI to be encrypted at that point, notes Avivah Litan, vice president at Gartner and an expert in computer network security used in retailing.
"PCI only calls for the need to encrypt across an open network, usually the Internet or wireless," says Litan. "In retailing, you almost never encrypt between the cash register point of sale and the store server."