Hannaford Data Breach May be 'Tip of the Iceberg'

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The recent breach of a Maine-based grocery chain may just be the beginning of a novel and sophisticated attack method. Earlier this week, the Okemo Mountain Resort, a ski resort in Vermont, announced that it had been hacked in a similar manner. (SEE OKEMO ANNOUNCEMENT)

"It does look like the tip of the iceberg," says Nick Holland, a security analyst with the Aite Group, a Boston, MA financial services research firm. Law enforcement officials indicate that they are investigating as many as 50 other similar incidents in the Northeast.

News of the Hannaford Brothers breach broke on March 17 (SEE RELATED STORY: Hannaford Data Breach: The Victims Fight Back), and subsequent investigation revealed that malware was surreptitiously placed on the servers at 300 of the store locations. That malicious software then enabled criminals to capture "track 2" data as it was transmitted from the store to one of the credit card processors. Hannaford President and CEO Ron Hodge says in an apology to customers, "Security experts tell us [it] was a novel and sophisticated attack on our computer network that resulted in the theft of certain credit and debit card numbers."

The company says that the malicious software has been located and removed from company servers.

How Big is Big?
The breach saw 4.2 million credit card numbers taken, and more than 1,800 of those numbers have been reported as having been used. That number, according to law enforcement involved in the breach, is going up.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Hannaford's senior vice president and general counsel Emily Dickinson detailed the breach and how malicious software was installed on Hannaford's computers in a letter to Massachusetts Attorney General Martha Coakley and the Massachusetts Office of Consumer Affairs and Business Regulation. In the letter Dickinson says Hannaford was certified as meeting Payment Card Industry (PCI) standards in 2007 and also received PCI certification on February 27.

The U.S. Secret Service says the Hannaford breach began as one message sent to a Hannaford store, and it then multiplied and went to other Hannaford locations. The malicious software picked up credit card numbers and expiration dates as they were in transit between the store and the credit card company. It would also send "batches" of the collected numbers to an Internet Service Provider IP address overseas. Hannaford's web site says the "data was illegally accessed from Hannaford's computer systems during the card verification transmission process in transactions."

"This event is highly significant because it represents the first publicly-acknowledged theft of sensitive card authorization data in transit," says Avivah Litan, Vice President and Distinguished Analyst, Gartner Inc.

More card fraud has been discovered as a result of the breach. Law enforcement reports criminals are charging items on the cards in the Southern U.S. and up and down the east coast. Charges have turned up on the exposed cards in Mexico, Bulgaria and Italy.

PCI Compliance Equals Security?
The announcement by Hannaford that it was PCI-compliant is certainly not good PR for PCI, says Aite Group's Holland. He likens PCI compliance to a driver's license. "It means you passed the test, but then aren't scrutinized after when you're driving."

David Taylor, President of the PCI Security Vendors Alliance, points out PCI is not an insurance policy against network breaches.

"A PCI Assessment is a 'point in time' assessment," Taylor says. "Things can change in the network, and elsewhere in the systems and procedures that cause the company to 'fall out of' compliance."

This is why a company cannot expect that a once-a-year assessment protects them (like an insurance policy) for a whole year. The merchant is responsible for monitoring those changes (e.g., a new application, or someone opening up a port in the firewall, or turning off event logging or alerts - all of which happen every week in most organizations) on a nearly continuous basis.

The most important thing merchants can do is "operationalize" compliance says Taylor. Rather than have PCI (or SOX) be "owned" only in IT, Taylor recommends companies "spread the wealth" or "deputize" other people to own pieces of it for their departments. "If data security and privacy are owned by only a few people, the rest of the company becomes complacent, assuming that person will 'watch out for' the rest of the company," Taylor says. "But so many systems and business processes have potential vulnerabilities that 'narrow ownership' simply does not scale effectively."