Hannaford Data Breach May be 'Tip of the Iceberg'Ski Resort Reports Similar Breach; Investigators Eye up to 50 Other Incidents
"It does look like the tip of the iceberg," says Nick Holland, a security analyst with the Aite Group, a Boston, MA financial services research firm. Law enforcement officials indicate that they are investigating as many as 50 other similar incidents in the Northeast.
News of the Hannaford Brothers breach broke on March 17 (SEE RELATED STORY: Hannaford Data Breach: The Victims Fight Back), and subsequent investigation revealed that malware was surreptitiously placed on the servers at 300 of the store locations. That malicious software then enabled criminals to capture "track 2" data as it was transmitted from the store to one of the credit card processors. Hannaford President and CEO Ron Hodge says in an apology to customers, "Security experts tell us [it] was a novel and sophisticated attack on our computer network that resulted in the theft of certain credit and debit card numbers."
The company says that the malicious software has been located and removed from company servers.
How Big is Big?
The breach saw 4.2 million credit card numbers taken, and more than 1,800 of those numbers have been reported as having been used. That number, according to law enforcement involved in the breach, is going up.
Hannaford's senior vice president and general counsel Emily Dickinson detailed the breach and how malicious software was installed on Hannaford's computers in a letter to Massachusetts Attorney General Martha Coakley and the Massachusetts Office of Consumer Affairs and Business Regulation. In the letter Dickinson says Hannaford was certified as meeting Payment Card Industry (PCI) standards in 2007 and also received PCI certification on February 27.
The U.S. Secret Service says the Hannaford breach began as one message sent to a Hannaford store, and it then multiplied and went to other Hannaford locations. The malicious software picked up credit card numbers and expiration dates as they were in transit between the store and the credit card company. It would also send "batches" of the collected numbers to an Internet Service Provider IP address overseas. Hannaford's web site says the "data was illegally accessed from Hannaford's computer systems during the card verification transmission process in transactions."
"This event is highly significant because it represents the first publicly-acknowledged theft of sensitive card authorization data in transit," says Avivah Litan, Vice President and Distinguished Analyst, Gartner Inc.
More card fraud has been discovered as a result of the breach. Law enforcement reports criminals are charging items on the cards in the Southern U.S. and up and down the east coast. Charges have turned up on the exposed cards in Mexico, Bulgaria and Italy.
PCI Compliance Equals Security?
The announcement by Hannaford that it was PCI-compliant is certainly not good PR for PCI, says Aite Group's Holland. He likens PCI compliance to a driver's license. "It means you passed the test, but then aren't scrutinized after when you're driving."
David Taylor, President of the PCI Security Vendors Alliance, points out PCI is not an insurance policy against network breaches.
"A PCI Assessment is a 'point in time' assessment," Taylor says. "Things can change in the network, and elsewhere in the systems and procedures that cause the company to 'fall out of' compliance."
This is why a company cannot expect that a once-a-year assessment protects them (like an insurance policy) for a whole year. The merchant is responsible for monitoring those changes (e.g., a new application, or someone opening up a port in the firewall, or turning off event logging or alerts - all of which happen every week in most organizations) on a nearly continuous basis.
The most important thing merchants can do is "operationalize" compliance says Taylor. Rather than have PCI (or SOX) be "owned" only in IT, Taylor recommends companies "spread the wealth" or "deputize" other people to own pieces of it for their departments. "If data security and privacy are owned by only a few people, the rest of the company becomes complacent, assuming that person will 'watch out for' the rest of the company," Taylor says. "But so many systems and business processes have potential vulnerabilities that 'narrow ownership' simply does not scale effectively."
With the pace that fraud is evolving, says Holland, an annual audit for PCI may not be enough. "With the fast flux attacks and the use of botnets by criminals, it must be an ongoing effort," Holland says. "It's not a check box compliance issue anymore. It is something that has to be continuously monitored."
Will PCI compliance hold water with other retailers after these breaches? Litan says time will tell. "Theoretically, Hannaford should not have to pay PCI-non-compliance related breach fines if they were compliant at the time of the breach. If they do, merchants will lose trust in the fairness of the PCI compliance system."
Consumer Security Fatigue
Hannaford has been the buzz in every town in the Northeast since the story broke, but consumer security fatigue may be setting in as more breaches hit the headlines, say Holland and Litan. This breach affected a concentrated number of consumers in a geographic area, so it may also spill over to damage other retailers' reputations and brands, not just the Hannaford brand. "Consumers will now question the security of other retailer's systems and ask themselves, 'how do I know this merchant is safe?'" says Holland.
Based on what happened with TJX, Litan doesn't anticipate any negative fallout from consumers. "Although consumers affected by the TJX breach squarely blamed the retailer for it, they value discounts over inconvenience. And consumers know they will get their money back (usually) from their banks," she adds. Retailers, however, will be very nervous about security - and their ability to ward off more sophisticated attacks.
Cost To Financial Institutions
The customers affected by the Hannaford breach are turning to their banks and credit unions for help and questions. The Maine Credit Union League's president and CEO John Murphy estimates its 68 member institutions will have to reissue about 150,000 cards. If the TJX data breach costs are held up as a comparison, this breach may end up costing affected financial institutions millions of dollars. Most are reissuing cards for customers affected by the breach, and card replacement costs range from $10 to $14 per card for some institutions, say industry sources.
"In recent years, many major U.S. merchants, largely due to pressure from Visa, have worked to move this data out of their data stores," says Litan. The theft is likely to be particularly damaging for card-issuing banks. "The theft of the security codes hidden in a card's magnetic stripe enables criminals to manufacture counterfeit cards, and any fraudulent charges made using the counterfeit cards must be borne by the issuing banks," she says.
Under Visa rules, if a merchant is identified as the source of the data breach, direct fraud costs initially borne by the bank can be charged back to the retailer. Without the security codes, criminals can use the card information only in card-not-present environments, for example, to make online purchases -- in which case the retailer bears liability, Litan explains.
Visa has made some progress in improving the security of stored data, and some criminals are targeting card authorization data in transit. Litan notes this is an area where data protection has lagged. "This theft shows that a focus on end-to-end protection of customer data, not simply on compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), is critical for merchants and other card-industry stakeholders," she says.
The PCI requirements that emphasize the maintenance of secure systems and applications (Section 6) and the regular monitoring and testing of systems and processes (Sections 10 and 11) should be implemented as continuous processes that consider the entire path that sensitive data travels. "Focusing only on PCI compliance may limit the possibility of fines from acquiring banks, but will do nothing to prevent the much-larger costs of a data breach," she notes.
The good news, Litan says, is that it [Hannaford's breach] will, eventually, lead to a safer payment system. "The bad news is that a lot of retailer blood will be spilt along the way."