Experts try to make sense of Hannaford data breach
But security experts on Tuesday were not shy about speculating how intruders may have been able to lift the card numbers while remaining hidden from detection for almost three months – all the while stealing from a company that said it was in compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
The data was accessed from Hannaford's systems while cards were being authorized for purchase, according to Hannaford. Some 2,000 cases of fraud already have been reported as a result of the breach, which began Dec. 7, 2007 and was discovered Feb. 27.
Some experts on Tuesday suggested the Scarborough, Maine-based company may have fallen victim to a number of security shortfalls, including lacking the proper monitoring solutions, failing to encrypt internal network traffic flowing between store and processor and running point-of-sales systems that were open to attack.
Michael Dahn, chief technology officer of The Aegenis Group, which trains merchants in PCI security, said the compromise likely resulted from insecure wireless connections or remote access deficiencies. (The TJX breach, which exposed more than 45 million card numbers, is believed to be caused by a wireless hack).
Still others did not rule out the possibility of an insider attack being the cause of the Hannaford compromise.
Either way, Hannaford Bros, which operates 165 Hannaford stores in New England and New York state and 106 Sweetbay Supermarket outlets in Florida, likely fell out of compliance with PCI-DSS, experts said.
“If you look at all the data compromises that happen, it is very rare that a company that has maintained that compliance will be the result of a data compromise,” Dahn told SCMagazineUS.com on Tuesday. “The reason for this is that they're maintaining a high level of vigilance, a raised level of security above the next person.”
Mark McClain, chief executive officer of SailPoint Technologies, which offers identity risk management solutions, told SCMagazineUS.com on Tuesday that many businesses view security as nothing more than a compliance checklist.
“Often the focus shifts to what's the least cost, least painful path to becoming compliant rather than focusing on where the real risks are,” he said.
Cards belonging to all the major payment brands were impacted by the breach. Visa, in a statement, said it was investigating the incident but reminded cardholders that they are protected against fraud. Visa has a policy not to comment on the compliance state of its member retailers.
“Visa Inc. is working with Hannaford, its acquiring financial institution and law enforcement to investigate a potential compromise of card account information from the merchant's systems,” a statement from the payment brand said. “Visa is in the process of providing card issuers the compromised accounts so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.”
Meanwhile, a report in The Wall Street Journal on Monday said the U.S. Secret Service was investigating the possibility that track data, which includes PIN and CVV2 numbers contained in the magnetic strip, may have been part of the information stolen. That data, which the payment brands prohibit from being stored, can allow card-not-present transactions.
Dahn said cybercriminals have gotten so sophisticated that they have created trojans that can be installed on point-of-sales systems to sniff traffic for this track data, even if it is not being stored.
“Now they're installing network sniffers that will garner this information as it's being sent in transit,” he said.
A Hannaford spokeswoman did not return a request for comment.
If an investigation determines that Hannaford was doing all it could to prevent a data exposure, it will be interesting to see if the Federal Trade Commission (FTC) takes any action, said Peter McLaughlin, senior counsel at Foley & Lardner and the former chief privacy officer for Cardinal Health.
“With the exception of real horror stories, most of the real financial damage [for breached companies] have come through FTC settlements,” he said. “If it turns out these guys were taking real reasonable steps, it could be a high-profile test, in the sense that the FTC will probably be under some pressure [to issue fines].”