Hannaford's Breach Tests Limits of Security Controls
Supermarket chain Hannaford Bros. is spending millions of dollars to upgrade its security in a bid to close the holes that allowed thieves to steal up to 4.2 million credit and debit card numbers from store networks.
The remarkable thing about this case is not that the company was hacked, despite being certified as compliant with the security rules laid out by the payment card industry, but that so few retailers and businesses who accept card data even reach the level of security Hannaford had in place prior to its breach.
In a conference call with reporters Monday, Hannaford chief information officer Bill Homa said the company planned to spend millions of dollars putting "military- and industrial-strength" security controls in place at its corporate and store networks. To that end, Homa said Hannaford is installing new intrusion-prevention systems to monitor the company's various networks, and that it is in the process of replacing PIN pads used to process card transactions at store registers with devices that secure the data with Triple DES encryption.
In addition, the company said it is introducing new firewalls and intrusion detection technologies at the store and corporate level to "strengthen the segmentation of payment information."
Security experts say that last bit is a critical step because the internal networks of many businesses are, to borrow a quip from security pioneer Bill Cheswick, a lot like a candy bar -- "crunchy shell around a soft, chewy center." That is, once the attackers (or insiders) gain a trusted foothold in the network, it's then trivial for them to hop around from one part of the internal network to the next.
Hannaford disclosed in mid-March that unknown intruders had planted malicious software on the point-of-sale systems at some 294 stores. That malware let the attackers capture card numbers and expiration dates as the data was en route from the point-of-sale terminals to authorize transactions from shoppers. A similar case was reported a couple of weeks later by Okemo Mountain Resort, a skiing destination in Vermont.
Avivah Litan, a security and fraud analyst with Gartner Inc., said network segmentation is a perfect example of a vital security component that is not spelled out in the payment card industry (PCI) standards required by MasterCard, Visa, and the card associations.
"If you read the standards, you'll see they were written for e-retailers," Litan said. "The PCI standards don't recognize that there's no good reason for a company's stores to be able to talk to one another when it comes to [processing] card data. The fact that malware was spread across almost 300 stores shows there wasn't good network segmentation in place at Hannaford."
I speculated earlier this month that the Hannaford incident may presage a trend. I'm sticking by that prediction for one big reason: Fewer retailers are storing customer payment data, and those that do are encrypting it, as they should. Consequently, the attackers increasingly are going after the data in transit, another area of security not well-specified in the payment card standards (e.g., there's nothing in the PCI rules that says companies have to encrypt sensitive data when it's flowing across their internal networks).
Some experts have speculated that the Hannaford breach was the work of a former or current employee. While Hannaford won't provide that level of detail on the breach due to an ongoing law enforcement investigation, the insider threat makes an even stronger case for retailers going beyond the PCI standards. If your network isn't properly segmented, and payment card information is sent in the clear over internal networks, it's game over if there's a crooked insider in your midst, said John Nicholson, a senior associate at Pillsbury Winthrop Shaw Pittman LLP.
Nicholson said many data compromises, particularly those perpetrated by insiders, are due to a lack of network segmentation and proper access controls.
"There are two groups in the security industry: people who sell security products, and those who do security within companies. The former tend to focus on the hacker threat, viruses and hackers. The people who really do security at the network level talk a lot about the threat that insiders pose, because once someone is inside your network, it's really easy to do bad things."
Hannaford's Homa said the company was certified in 2007 and again in early 2008 as PCI compliant. Granted, PCI compliance is more of a snapshot in time than it is a guarantee that companies will always do the right thing from a security perspective. But what about the companies handling customer data that have not even met these basic standards yet?
According to stats released by Visa in January, nearly half of all Level 2 merchants - those that process between one and six million transactions a year - are still not PCI compliant. Roughly 77 percent of Level 1 merchants (more than six million transactions / year) are in sync with the standards, Visa said. Slightly more than half (54 percent) of e-commerce-only merchants were certified as PCI compliant in January.
April 23, 2008; 5:40 PM ET
Categories: From the Bunker
Save & Share: Previous: Badware Threat Changes Apple's Tune on Safari
Next: Hundreds of Thousands of Microsoft Web Servers Hacked
The comments to this entry are closed.