Malware Cited as the Cause of Massive Supermarket Data Breach
A massive data breach at an East coast supermarket chain compromised up to 4.2 million credit and debit cards earlier in March, leading to 1,800 cases of fraud arising as far away as Mexico, Italy and Bulgaria. Recently, the Hannaford Bros. grocery chain announced the cause of that breach: unauthorized software secretly installed on servers that intercepted data from customers as they paid with plastic at checkout counters.
While the precise source of the malicious software remains under investigation, the Scarborough, Maine-based grocer confirmed that Massachusetts regulators had been informed of the link between the breach and the malware, which polluted nearly all of the company’s 271 stores’ servers. The U.S. Secret Service has confirmed that it is helping investigate the crime, although the scope of its involvement is unclear.
The Hannaford breach is unique to the extent that credit card numbers were stolen while the information was in transit, or at the point of sale. This represents a new more sophisticated line of attack, exposing the vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research.
The method contrasts with the usual mode of attack, which targets data sitting in databases, as was the ca se in the record-setting theft of information from Massachusetts-based TJX Cos in 2005 and 2006. That breach compromised 45.7 million accounts of customers of T.J. Maxx and Marshalls stores and now forms the basis of a pending federal consumer lawsuit in Boston.
Hannaford states that its breach occurred between Dec. 7, 2007 and March 10, 2008, but notes that while the breach was ongoing, the company was found to be in compliance with the relevant industry security standards. “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement on March 17. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”
This incident raises many questions about security and privacy policies and standards. First, why isn't the private information in transit encrypted? This incident would have been avoided if Hannadord had a privacy policy to maintain customer private information, like credit card numbers, encrypted during the trasnmission between the register and the enterprise servers. Not only that this vulnerability is exploitable by external attackers, but this is so easy for an insider attack. Statistics show that internal attacks are very common and a high risk. This should raise the issue to elevate industry standards on privacy and have legislature to publish new compliance requirements at least for businesses dealing with customer creadit information.
Second, why wasn't Hannaford alerted immediately when the servers were altered with the malware software? This is definitely a quality compliance issue as well. Businesses should have proper quality processes and procedures to ensure critical systems (specially, if they are involved with credit card transactions) are monitored for authorized and unauthorized changes. Every single change should go through a thorough Change Control process as well as having controls for monitoring system changes and access. Proper auditing should also keep track of what, who, and when something was changed. These processes and controls may not eliminate all security issues 100%, but it serves as effective deterence.
as we see, the criminal has used a drawback in the centralised system. isn't it another proof that security must be the top question on the agenda? it is awful to think that one's private information may be in danger even while shopping.