How Was Hannaford Hacked?
Those who may have initially assumed that the data breach that exposed the information of more than four million credit and debit card accounts of customers of Hannaford Bros. was due to lax security may find that it wasn’t the grocer’s fault after all.
According to Carol Eleazer, vice president of marketing for Hannaford, the company was certified last month as being compliant with the PCI Security Standards Council’s standards.
The simple fact, some experts say, is that it is not possible for any retailer to totally safeguard consumer records.
“That’s like asking if you can have a 100-percent secure home that cannot be broken into,” Avishai Wool, chief technical officer at the computer network security company AlgoSec, told The Associated Press. “I don’t think you can. If the bad guys spend enough money and have the appropriate equipment, they can go through anything.”
Slavik Markovich, chief technology officer of Sentrigo Inc., a database security company, said data breaches have reached “global epidemic” proportions.
“Overall, this type of attack, lasting several months and resulting in large-scale data theft and actual cases of fraud demonstrates once more that enterprises are being proactively targeted by organized crime. Weak links anywhere in the data chain that leave the data vulnerable to theft are exploited,” he wrote in an email to The AP.
It should be noted that while not enough detail is known at this point to fault Hannaford Bros., the internet is ripe with speculation about certain aspects of the company’s story.
A piece on Evan Schuman’s Storefront Backtalk site, for example, questions the timing of Hannaford’s PCI recertification. “As a Level 1 retailer, Hannaford is only required to undergo a PCI assessment once a year. If they were compliant in the Spring – regardless of which month it was – it seems eyebrow-raising that they would have sought another assessment so soon.”
To have completed the certification by last month, the article suggests, the process would have had to have begun around Nov. or Dec. of last year.
Hannaford has said the breach began on Dec. 7 of last year and ended on March 10.
Discussion Questions: What questions do you have based on the disclosures made by Hannaford Bros.? Are the standards needed to safeguard consumer data adapting quickly enough to keep up with the security challenge?
First of all I don’t–and I suspect nobody outside Hannaford and the hackers–really know enough details to begin to speculate on what happened. Here are the facts we know: Hannaford has a system and all systems can be hacked. As to timing, the company could have been certified as being compliant with the PCI Security Standards Council’s standards two minutes before it was hacked.
Computer security is often an exercise in after-the-fact correction; that is, you discover where the bad guys can get in because, well, because they got in. A little too early for conspiracy or cover-up theories. It’s the downside risk we take for our reliance on technology.
Prior to my current position in the retail industry, I worked as an IT Security Auditor measuring the security, business continuity, and disaster recovery capabilities of very large financial institutions. I know first hand how breaches like this one occur.
Today’s technologies provide industries with the means to assure that this sort of breach will not occur, and definitely not over several months. I am highly confident that this is a felony action most likely including more than one individual. By this I mean the person(s) taking the information and the person(s) willing to pay for the information.
There are three categories of people with the means to attack a specific system and get assured results. Service contract technicians, outsource programmers or system consultants with system access, and, of course, company employees. The sort of individual that helps themselves to the company’s property is successful over prolonged endeavors when the system itself is not properly maintained. Most companies have no idea how important it is to maintain any size system themselves with a group of talented, well paid employees. Taking shortcuts, cutting development and upgrade policies, and outsourcing creates huge security issues that make it possible for very large scale theft as we see here.
In short, the company can usually blame itself for any theft of this scale.
We at RSR are starting to take a different view of data security than we have in the past. We believe that PCI just isn’t enough, because the standard is static but the world changes.
As has been acknowledged above, security breaches are an evolving “art form”–assuming that PCI is going to solve the world’s security problems now and forever is as unrealistic as thinking the patches released by Microsoft in 2000 to prevent web site hacks is sufficient for eternity.
Where does that leave us? The same place server and PC security sits–with the operating system vendors. What’s the follow-on to WPA? What is the next generation of wireless (and wired) security? What should the firewall of 2009 look like?
These are just nascent thoughts that my partner Steve Rowen will spell out in more detail next week. Overall, my personal view is neither the banks nor the retailers should make security THEIR mission in life. This belongs to the purveyors of equipment.
Credit card and identity thefts are becoming such a big problem that is hard to know if you are taking enough steps to protect yourself. I suspect many businesses are guilty of not being aware enough of what they should be doing. It’s hard for a low margin business to add expenses unless they feel that it is critical to their successful operation. I hope that we all are able to learn from their experience before it happens to us.
Bottom line–we will continue to have these problems until we move to Biometric ID. Dorothy Lane in Ohio has fingerprint payment as a functional part of their check-out system. Authentec offers fingerprint “lockdown” of cellphones.
This is the wave of the future for check-out, payments, mobile web devices and vending.
Sadly Art, I don’t think it’s just an issue of awareness. The question isn’t “if” any individual retailer’s system will be hacked, it’s “when.”
I am also employed by the Washington State Veterinary Medical Association. About 18 months ago, our site was hacked and member information including credit card information used to pay dues were exposed. The hacker contacted us to tell us he’d done it and that we were vulnerable. He also said he took nothing and that he hacks for his own entertainment. To date what he said seems true.
Recently, a large brokerage and investment firm here in the Pacific NW suffered a similar attack. It may be the same hacker. I am curious to know if any other entities out there have had a similar experience.
There are some flawed assumptions from the get go. PCI will not deal with the kind of “designer malware” issues faced by Hannaford. PCI is designed to deal with absolute minimum baseline security controls, primarily at the network layer. If you achieve PCI compliance, you are doing security 101, nothing more. To think that PCI compliance would have protected Hannaford is to think that having a bullet proof vest will keep you from getting shot.
A serious adversary, such as the kind well-funded and professional “carder” gangs that hit many companies like Hannaford know PCI calls for certain network countermeasures. So, these gangs are going to design specific attacks that evade traditional security approaches. This is really happening–we see it all the time with our clients in the government and financial services.
Retailers have to take matters into their owns hands if they want to get a grip on this situation. Retailers have to up the ante on monitoring their networks for signs of designer malware activity. This requires a new kind of network monitoring and attention to detail. Retail networks will never be secure–with any technology. But, the key is to detect these kinds of attacks within minutes, before keystroke loggers are placed on POS systems by carder gangs.
Eddie’s correct. Now that these attacks are coordinated by organized crime rings, companies everywhere are going to need additional tools and processes beyond what they’re doing to maintain PCI compliance.
The Retail IT Network is creating a white paper on Selling Security to the CEO. The document will be ready in June, at no charge. Your input is appreciated; send a note to cathy@cathyhotka.com.
Until there are large penalties, retailers, banks, and credit card networks won’t invest substantially more to protect cardholders. Credit card holder protection gets budgeted like anything else: spend the least possible. If cardholders were awarded $1,000 each per incident, do you think security standards would rise?