More on Hannaford...
Let me give you my top 3 guesses:
1. An insider
2. An Insider
3. an insider
It was also reported that the software was installed at the point of sale to capture the swipes and the information. It was also reported that Hannaford did not store the credit card data.
If they had truly met the PCI standard then the entire chain would have been encrypted and the endpoints would be locked down, and this wouldn't have happened. If retailers do not work with their vendors that make up the processing chain then this kind of thing will continue to happen.
I can point fingers at the PCI spec, at Hannaford, at the manufacturer of systems, but the bottom line is there is one person at Hannaford whose responsibility it is for this - the CEO. This is his puppy and if his puppy is running around crapping in the neighbors yards, biting kids, etc. just beciase he didn't see it happen doesn't mean you don't put a leash on the dog. Common sense dictates that.
Had their authentication and identity audit practices been regularly tested and reviewed, after the second install of software had taken place or after they realized that 1 person accessed 1,000 servers and 300 endpoints, that they were an admin based in Scarborough, and they had given themselves root access on New Years eve, wel, hopefully you get the idea. This is common sense to most of us with or without lots of letters after our names a la CISSP, CISA, CISM, etc.
When all is said and done, this will be the work of an insider. Who it was is less interesting than Why they did it.
Here is a reprint of the aritcle in the Boston Globe:
The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.
The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation.
Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.