There goes another one.
According to multiple sources, the Hannaford Brothers grocery chain suffered a major breach with 4.2 million credit cards exposed. Hannaford had published an FAQ for their customers. Odds are it will be months until we find out what really happened, but I’m going to speculate anyway, pick apart the press coverage and FAQ, and see if we can learn something from this now.
As usual, the information released is incomplete and contradictory.
PORTLAND, Maine (AP) – A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday. Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed. The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.
This is interesting since there is a direct tie to fraud, as opposed to many other breaches. This often means the fraud was detected in the credit system and then traced back to the retailer, which seems to be what happened based on the FAQ. As a researcher it’s always helpful to be able to tie the breach to illegal activity. This does, of course, suck for the victims, but as long as it’s credit card fraud they are protected.
Since the information was stolen during the authorization process, and was distributed over many locations, it means a compromise of the central authorizations system or the credit card processor. It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application. My money is 70% on sniffing, 30% on something in the database.
No personal data such as names, addresses or telephone numbers were divulged – just account numbers.
This can’t be true. Without names, the card numbers are unusable.
Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough. “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”
This reinforces the likelihood of a network breach and sniffing, assuming the statement is true. How was the network breached? Could be any one of hundreds of ways. Targeted phishing and compromise of the central network from a remote location are common. I can’t add anything more than pure speculation on this one.
The company urged its customers to monitor their credit and debit cards for unusual transactions and report any problems to authorities.
Actually, card issuers should reissue the cards and just eliminate the chance of greater fraud. This is irresponsible. Since this is just loss of credit cards, there is no need for identity theft protection.
Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said. “I had expected there would be more than we’ve heard of,” Walker said. “But it’s still too early for us to tell.”
Strange- I consider 1,800 to be a large number. It could be that the fraud was performed directly in the Hannaford system or something. Or this is an erroneous statement.
The FAQ gives us a little more information and narrows things down.
What happened? Hannaford announced containment of a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. This data was illegally accessed from Hannaford”s computer systems during the card verification transmission process in transactions. Further, Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected
Somewhat contradictory, with a mention of data security and network, but I don’t expect everyone to be as picky about those details as we are. I suspect the last sentence means fraud alerts are in place, and cards are probably being reissued to some extent.
When did you discover the intrusion? Hannaford was first made aware of suspicious credit card activity on Feb. 27, and immediately initiated a comprehensive investigation with the assistance of leading computer security experts
Bingo. It was detected by the banks or credit card companies, then brought to Hannaford.
Is it safe to continue shopping in your stores? We have continually devoted significant round-the-clock resources to ensure Hannaford has comprehensive data security systems in place. For example, our security measures meet industry compliance standards and many go above and beyond what is required by industry standards.
In other words, PCI is worthless.
In conclusion, it looks like some sort of a network breach (which could be anything from phishing/malware to compromise from a retail location to a full network hack). A sniffer was possibly installed, since it seems they don’t keep credit card information (again, assuming statements are true). The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain. Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part.
How to prevent this?
We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Data Breach, Hannaford
Reader interactions
10 Replies to “Picking Apart The Hannaford Breach- What Might Have Happened”
It is against PCI-DSS to store ANY secure credit card data (Credit Card Numbers, Expiration Data) unencrypted. It is also against policy to store CVV2 Numbers ANYWHERE.
If they were PCI-DSS compliant the only place to steal that information is out of program memory by compromising the application, prior to encryption (at the terminal), or breaking the encryption.
PCI specifies the concepts of securing a system not the details, and they shouldn’‘t. The details change with increased technology.
It still seems a little too coordinated/advanced to be a random worm, but that’s some very interesting information. Could have been something custom then.
I’‘m an analyst following the PCI landscape and I have heard from reliable sources that the Point of Sale systems were compromised by worms. We are also seeing a lot of enquiries for products that lockdown Point of Sale systems. Vendors like Tripwire and Solidcore are experiencing double-digit growth fueled by this requirement. News on the grapevine is that Solidcore has closed at least 5 mega deals and is preparing for an IPO.
As more stories like this unfold, the questions on the minds of data security professionals are “How do I mitigate the risk of data loss in general?” and “How do I prevent this type of loss (insider attacks, data transmissions or storing sensitive information) in particular?”
The answer to both questions is to keep your data out of a position where it’s vulnerable to theft or other loss by protecting it, everywhere. In this particular incident, the real sin committed was not the loss of the data itself, but rather the fact that the company passed the PCI standards, thus thinking they were protected. The comfort in the compliance was the great downfall; they lost sight of what is really important…protecting the data itself. Why take unnecessary risks when solutions exist to completely eliminate this type of exposure?
There are technologies specifically developed to secure the data itself for transport, storage or backup. A strong encryption solution coupled with network security solutions will protect the data itself and keep hackers out of the network. Also, with the new advancements in Policy and Key management solutions, organizations can encrypt all of their data as it travels the network, end-to-end. With these solutions in place, the data is securely transported electronically, drastically reducing the chances of being stolen; and because the data is encrypted, it is useless to anyone except the intended recipient.
It’s possible, but all the reports specifically state that retail locations were compromised.
Interesting on the CNP transactions- I thought you always needed a name, not just the card number. Apoligies for getting that wrong.
Why is no one considering the idea that First Data Corp. could be the culprit here and not Hannaford at all. They use PCI to validate the security of their systems as well.
e9an
Credit card number are NOT useless without the name.
You can use a credit card without having to know the name of the card holder. I worked at a store where I took payments over the phone. We simply asked for the CCN and exp date. No name was required. The criminals need to own or have access to one of those credit card machines, they can simply type in the numbers and charge the customer for a fake service or product and pocket the money. Or, they could find some other sort of way to convert a credit charge to cash, services, or products through a third party. For instance, they could call a 900 number that the criminals ultimately own. That way they filter the money through the phone company.
Securosis.com gives a lot of interesting perspective in their post, Picking Apart The Hannaford Breach- What Might Have Happened .
Why not just face the facts?
Hackers will get card numbers in a variety of ways in a variety of exposure levels (Hannaford= 4M card numbers; TJX= 90+M? cards; your irresponsible son = 1 card), no matter the security steps.
As a consumer, if you use cards, you have to review your account activity and statements carefully and regularly. You cannot expect someone to do it for you. If you are unable or unwilling to do this, get rid of your cards and stop whining.
Bankers and card issuers, get smart about your risk management policies and practices. Is blanket reissues of millions of cards on suspect lists cheaper than your insurance premiums, consumer fraud chargebacks, risk mitigation and fraud detection costs? The bottom line: there is is baseline cost of playing this game; make some decisions on objective facts and wise up: how much are you willing to pay and how will you be recovering these expenses?
Merchants: see the previous paragraphs and consider how consumer fraud reports will impact the issuers and insurers; consider how the issuers and insurers will recover their losses. How much are you willing to pay and how will you recover these expenses?
In the spirit of the fuel cost adjustment fee we are now seeing regularly, I propose a data security risk fee to be applied to all at-risk transactions for greater transparency.
I think we don’‘t have all the information so we everybody is engaging in various levels of speculation (which is probably more worthless than PCI is alleged). More info on all of this from a legal standpoint at my blog: http://www.infoseccompliance.blogspot.com
However, we do know two facts: (1) compliance with PCI was represented in Hannaford’s privacy policy (last visited 3-21-2008); and (2) there was a breach exposing cardholder data.
In my view, here are some of the possibilities (in no particular order of likelihood, and by no means an exclusive ilst):
(1) the qualified security assessor (QSA) (or internal assessor) may have misinterpreted or loosely interpreted a section of the PCI standard (and the reality was there were security weaknesses); potential culprit is 4.1. if unencrypted data was swiped in transit;
(2) the PCI compliance may have been old or outdated (e.g. they may have been PCI compliant 9 months ago, but perhaps added new systems that were not secured consistently with PCI);
(3) Hannaford may not have provided all of the information to the QSA (assuming one was used) that it needed to validate its decision (e.g. this could include mistakes in defining which parts of Hannaford’s networks were in-scope/out-of-scope);
(4) Hannaford may have been 100% PCI compliant and reasonably secure in general and just got unlucky (e.g. there is no such thing as 100% perfect security). Under this scenario, Hannaford would argue that it was not negligent because it did all the right things and that unfortunately these things just happen.
(5) Hannaford and/or its QSA may have had a security weakness or questions about an ambiguity and may have had either the PCI Council, its upstream payment processor or its merchant bank give a bad interpretation.
(6) Hannaford may have been perfectly PCI compliant, but nonehtless engaged in “negligent security” practices (e.g. under the law, the industry standard is a necessary, but not necessarily adequate—see T.J. Hooper)
The interesting issue will be, assuming that some sort of negligence is shown, who was/is ultimately responsible? Hannaford? The QSA? A merchant bank that accepted Hannaford’s certification? The standards setting body?