Friday, March 28, 2008

More on Hannaford...

So they uncovered some more data on the Breach at Hannaford this week and it was reported that software was installed on every server in their 300 stores, and that they weren't sure how the software was installed.

Let me give you my top 3 guesses:

1. An insider
2. An Insider
3. an insider

It was also reported that the software was installed at the point of sale to capture the swipes and the information. It was also reported that Hannaford did not store the credit card data.

If they had truly met the PCI standard then the entire chain would have been encrypted and the endpoints would be locked down, and this wouldn't have happened. If retailers do not work with their vendors that make up the processing chain then this kind of thing will continue to happen.

I can point fingers at the PCI spec, at Hannaford, at the manufacturer of systems, but the bottom line is there is one person at Hannaford whose responsibility it is for this - the CEO. This is his puppy and if his puppy is running around crapping in the neighbors yards, biting kids, etc. just beciase he didn't see it happen doesn't mean you don't put a leash on the dog. Common sense dictates that.

Had their authentication and identity audit practices been regularly tested and reviewed, after the second install of software had taken place or after they realized that 1 person accessed 1,000 servers and 300 endpoints, that they were an admin based in Scarborough, and they had given themselves root access on New Years eve, wel, hopefully you get the idea. This is common sense to most of us with or without lots of letters after our names a la CISSP, CISA, CISM, etc.

When all is said and done, this will be the work of an insider. Who it was is less interesting than Why they did it.

Here is a reprint of the aritcle in the Boston Globe:

The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.

The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation.

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.


Blogger Benjamin Wright said...

Mark: Legally speaking, we can't expect the PCI to keep pace with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. --Ben

Monday, March 31, 2008 10:52:00 AM  
Blogger Mark Mac Auley said...

I will ask a potentially stupid question - why not?

Isn't your comment akin to saying that the Department of Homeland Security should not punish terrorists because they can't keep up with their plans?

Please elaborate.

States like Minnesota have adopted PCI and made it law, so does that make Best Buy and Target exempt from not following the law since expectations are out of whack?

I guess I need to learn more about the legality angle. Any pointers to cases would be great!

Wednesday, April 02, 2008 10:12:00 AM  
Blogger Benjamin Wright said...

Mark: The FTC (like the PCI) is unfairly focusing all the burden on merchants. It is not asking whether credit cards are in need of fundamental change. --Ben

Wednesday, April 02, 2008 7:36:00 PM  

Post a Comment

<< Home