Hannaford Breach May Presage '08 Trend
The Hannaford Bros. supermarket chain said Monday that a breach of its computer systems may have given criminals access to more than four million credit and debit cards issued by nearly 70 banks nationwide. While the banks appear all but ready to blame Hannaford for failing to follow payment card industry standards on security, there are signs that this may be the first of many cases to surface this year wherein the affected retailer was hacked even though it appeared to be following all of the security rules laid out by the credit card associations.
The Boston Globe's Ross Kerber today writes that Hannaford is still investigating the specifics of how the data was taken, but that the company's chief executive said the data "was illegally accessed from our computer systems during transmission of card authorization." Translation: The hackers snatched the credit/debit card data sometime between when the customer swiped their card in the reader at the register and when that transaction was approved.
The Globe story continues: "What could make the Hannaford case unusual is that since last spring its stores have met industry standards regarding how customer data is stored and maintained, Eleazer said. Many other retailers victimized by breaches, including TJX, had been faulted for lax security. It's too soon to know whether Hannaford's case will warrant the consideration of further security reforms, said Ted Julian, vice president of strategy at Application Security Inc., a New York database services company."
These details remind to me of a conversation I had a few days ago with Bryan Sartin, vice president of investigative response for Cybertrust, a division of Verizon Business. Sartin said a great many retailers have taken extra precautions to ensure that any credit or debit card data they store is properly encrypted and secured. Sartin said his team is currently responding to a number of data breaches in which hackers have targeted financial data as it is being transferred from the retailer to the credit card processor and back. While the payment card industry standards require retailers to encrypt payment data when it traverses public networks, that requirement does not necessarily apply to a company's own internal, non-public networks, Sartin said.
"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."
Sartin declined to say whether this dynamic was at work in the Hannaford case (his company had been retained by a party involved in the breach). But he noted that Cybertrust has found with a number of very recent compromises that attackers have seized control over the very terminals that control cash registers or point-of-sale systems within a retail store, or the server through which all registers connect to pass transaction data out across the Internet to the store's payment processor.
Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.
Indeed, attackers appear to be exploiting the letter - if not the spirit - of the payment card industry standards, said Tom Kellerman, vice president of security awareness at Core Security. Kellerman said many retailers not only fail to encrypt financial data while it is being moved around inside the stores, but they also fail to understand that encrypting data is meaningless if the merchant doesn't also harden the security of the computers that power the point of sale systems.
"Even the stores that are trying very hard to be [payment card industry security standards] complaint don't seem comprehend that if I as an attacker own the computers inside of your store, then encryption means nothing," Kellerman said. "Unfortunately, our consultants are seeing this weakness left and right at groceries and other retailers."
Already, there are signs that 2008 may turn out to be a record-breaking year for retailer and card processor data breach disclosures. Kevin Mandia, president of Mandiant Corp., an Alexandria, Va.-based company that specializes in investigating data breaches, said his firm responded to more credit card losses in the past year than in any prior 12-month period.
"It's early in the year, but the tempo [of data breaches] has been very heightened since the summer of 2007 and maintained the same barrage," Mandia said. "We're seeing at least two new companies a week discovering that they've lost credit card numbers, and at the rate we're going [the criminals] are going to exhaust U.S. retailers as targets.."
Posted by: Andrew | March 18, 2008 4:15 PM | Report abuse
Posted by: Palooza | March 18, 2008 4:21 PM | Report abuse
Posted by: David Navetta | March 18, 2008 4:21 PM | Report abuse
Posted by: Debbie | March 18, 2008 8:17 PM | Report abuse
Posted by: wiredog | March 19, 2008 9:23 AM | Report abuse
Posted by: Anonymous in New England | March 19, 2008 10:02 AM | Report abuse
Posted by: Anonymous in New England | March 19, 2008 10:03 AM | Report abuse
Posted by: TJ | March 19, 2008 10:41 AM | Report abuse
Posted by: TJ | March 19, 2008 11:19 AM | Report abuse
Posted by: Rodney Jacobs, Bangor, Maine | March 19, 2008 11:56 AM | Report abuse
Posted by: Charlie | March 19, 2008 2:02 PM | Report abuse
Posted by: Tim | March 19, 2008 3:13 PM | Report abuse
Posted by: Carol | March 19, 2008 4:24 PM | Report abuse
Posted by: Ivan Groznii | March 19, 2008 5:31 PM | Report abuse
Posted by: Michael Houst | March 20, 2008 7:56 AM | Report abuse
Posted by: Sam Nicholson | March 20, 2008 9:03 AM | Report abuse
Posted by: Dave B | March 20, 2008 12:28 PM | Report abuse
Posted by: Security Guy | March 20, 2008 5:18 PM | Report abuse
Posted by: Pavel Feofilov | March 30, 2008 5:58 AM | Report abuse
Posted by: Benjamin Wright | March 31, 2008 2:30 PM | Report abuse
Posted by: Andre Brassard | April 2, 2008 10:54 AM | Report abuse
Posted by: YOLI | April 23, 2008 6:36 PM | Report abuse
Posted by: firstname.lastname@example.org | May 6, 2008 10:22 PM | Report abuse
Posted by: Analyst PCI | May 6, 2008 10:23 PM | Report abuse
Posted by: jimelyyes | May 8, 2008 4:52 PM | Report abuse
The comments to this entry are closed.