Friday, March 28, 2008

More on Hannaford...

So they uncovered some more data on the Breach at Hannaford this week and it was reported that software was installed on every server in their 300 stores, and that they weren't sure how the software was installed.

Let me give you my top 3 guesses:

1. An insider
2. An Insider
3. an insider

It was also reported that the software was installed at the point of sale to capture the swipes and the information. It was also reported that Hannaford did not store the credit card data.

If they had truly met the PCI standard then the entire chain would have been encrypted and the endpoints would be locked down, and this wouldn't have happened. If retailers do not work with their vendors that make up the processing chain then this kind of thing will continue to happen.

I can point fingers at the PCI spec, at Hannaford, at the manufacturer of systems, but the bottom line is there is one person at Hannaford whose responsibility it is for this - the CEO. This is his puppy and if his puppy is running around crapping in the neighbors yards, biting kids, etc. just beciase he didn't see it happen doesn't mean you don't put a leash on the dog. Common sense dictates that.

Had their authentication and identity audit practices been regularly tested and reviewed, after the second install of software had taken place or after they realized that 1 person accessed 1,000 servers and 300 endpoints, that they were an admin based in Scarborough, and they had given themselves root access on New Years eve, wel, hopefully you get the idea. This is common sense to most of us with or without lots of letters after our names a la CISSP, CISA, CISM, etc.

When all is said and done, this will be the work of an insider. Who it was is less interesting than Why they did it.

Here is a reprint of the aritcle in the Boston Globe:

The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.

The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation.

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.

Monday, March 24, 2008

Hannaford Supermarkets - Welcome to the Club

So this one hits close to home for me since I frequent Hannaford Brothers 2-3 times per week. It also hits even further close to home because I have contacted their CIO, CFO, and several folks in their IT group offering help for the past two years.


It is in my best interest to protect my information with the companies I do business with and especially those companies in my backyard. I have done the same for Tiffany, LL Bean, and a dozen more online and brick and mortar retailers too.


Mathematically speaking, every US Citizen's identity has been compromised.

So to the Management at Hannaford -

(Mr. Ron Hodge) here is my list of people that I have contacted in the past two years to prevent this from happening. I will also tell you that this whole issue could have been prevented for under $200,000:

Bill Homa - CIO
Jeff Reeder - CFO
Kevin Carleton - Director of Retail Operations
Tricia Gilbert - IS Auditor
John McFarland - Enterprise Systems Team Lead

Add to this list past folks who either had the sense to leave before the doo doo hit the fan, or to bail before they were called out by someone in the industry like me:

Paul Fritzson - CFO
David Fournier - IT Security Specialist

If anyone from Hannaford Brothers reads this, please get back to me. I am still in a position to help, and I will wait for the phone call from Lifelock to see if the 1800 cases of fraud reported thus far will soon include me.

Oh, and an official welcome to the Level 1 PCI Club because of Breach. Hannaford was already there handling more than 6M transactions, (wonder when they filed) and now this breach insures some new expenses every quarter that will be passed onto consumers and tourists in a few weeks...

Labels: , ,

Thursday, March 13, 2008

Would the real Identity of Kristen (Spitzer's girl) Please Stand up

I was wondering how long it was going to take for people to figure out who Kristen was - you know - the woman who Elliot Spitzer was hooking up with.

I can only imaginge the frenzy the folks at TMZ must have had or the gossip hounds in NYC and DC doing everything they can to track this woman down. There were some things I couldn't help thinking about after the news broke -

1. The fact that somewhat skilled, unlicensed, and people with internet access can find out the identity of 'Kristen' and a large portion of the US freaks out over wiretapping. I say pick your poison. Having tens of thousands of Paparazzi digging is probably twice what the NSA has at any given time.

2. Maybe the Paparazzi need to be exploited for our national security gains - whatever that might mean.

3. This is a hell of a way for a singer to jump start her career. I think American Idol just Jumped the Shark. Yes, - You heard it here first. Now we need the William Hong of the Prostitute-Politician connection to emerge. 'She bang, She Bang!' I still love that guy.

4. I wonder if Kristen has LifeLock or other Identity Theft prevention services on her accounts.

5. What was Spitzer thinking? Granted his choice was 1000% better than Hugh Grant's but still... I would put Mrs. Spitzer in the MILF category.

Here concludes my coverage of this incident. We're human, we screw up, and some of us do it in breathtaking ways. What do think about a Giulliani/Mrs. Spitzer ticket?

OK. I'll crawl back under my rock now... Get back to work!