PORTLAND – Unauthorized software that was secretly installed on servers in nearly all of Hannaford Bros. Co.’s supermarkets paved the way for a massive data breach that compromised up to 4.2 million credit and debit cards, the company said Friday.

The Scarborough-based grocer confirmed a report that it told Massachusetts regulators this week about the link to the illicit computer program known as “malware.”

The company doesn’t know if the malware – industry shorthand for malicious software – was downloaded to the servers from a remote location or at any or all of the nearly 300 stores, Hannaford spokeswoman Carol Eleazer said.

“Virtually everything is possible,” she said. “There are still many, many aspects that we don’t totally understand.”

The company has said that the data theft, which occurred between Dec. 7 and March 10, took place as shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

The malware installation was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick’s Office of Consumer Affairs and Business Regulation.

The Boston Globe first reported on the letter in Friday’s editions. Eleazer declined to release a copy, saying it was an attorney-to-attorney communication that was intended to be private.

The involvement of the software was not new information but rather “a level of detail that we’ve not shared previously because of the confidential nature of the investigation,” she said. The breach remains under investigation by the U.S. Secret Service.

Assistant Attorney General Linda Conti, who’s assigned to the Hannaford data breach, said Maine’s attorney general did not receive the same letter that was requested by the attorney general in Massachusetts. But she was briefed by Hannaford and the Secret Service on the data breach investigation.

Conti said she was told that the data breach began as a single message that was sent to a single location. Then it multiplied and was sent to multiple locations, she said.

She declined to discuss specifics.

As in all data breach investigations, the attorney general wants to know whether the company did everything in its power to protect consumers, or whether its security was lax.

“What we will be looking at is where does Hannaford fall in that range. Were they as careful as they could be, or were they negligent and loose with their information?” she said.

In the Hannaford network, data from the swiped card would flow from the cash register to the store server, then perhaps to a regional server and on to the processor, said Avivah Litan, security analyst at Gartner Inc.

“It sounds like they were snooping on that traffic with malware,” she said.

She and other experts agreed that there were many ways in which data thieves could have accessed the information, either from a remote location or on-site. The malicious code could have been sent as an attachment to an e-mail or a hacker with a laptop may have entered the server room at a store and hooked up to an open port.

The software was installed in all 165 Hannaford stores in New England and New York, and in most of the 106 Sweetbay stores in Florida, Eleazer said. The same computer systems are used in both supermarket chains, as well as a small number of independent stores in the Northeast that sell Hannaford products. Hannaford and Sweetbay are owned by the Belgian supermarket chain Delhaize America.

At least 1,800 cases of fraud have been linked to the data breach, with unauthorized charges showing up as far afield as Mexico, Italy and Bulgaria.

The breach has prompted concern in the industry because it appeared to be the first large-scale theft of credit and debit card numbers while the information was in transit. The usual mode of attack targets data sitting in databases, as in the record-setting theft of information from Massachusetts-based TJX Cos. involving least 45 million cards.

Also, at least two class-action lawsuits have been brought on behalf of consumers whose credit and debit cards were compromised by the Hannaford data breach.