Hannaford's Breach Tests Limits of Security Controls
Supermarket chain Hannaford Bros. is spending millions of dollars to upgrade its security in a bid to close the holes that allowed thieves to steal up to 4.2 million credit and debit card numbers from store networks.
The remarkable thing about this case is not that the company was hacked, despite being certified as compliant with the security rules laid out by the payment card industry, but that so few retailers and businesses who accept card data even reach the level of security Hannaford had in place prior to its breach.
In a conference call with reporters Monday, Hannaford chief information officer Bill Homa said the company planned to spend millions of dollars putting "military- and industrial-strength" security controls in place at its corporate and store networks. To that end, Homa said Hannaford is installing new intrusion-prevention systems to monitor the company's various networks, and that it is in the process of replacing PIN pads used to process card transactions at store registers with devices that secure the data with Triple DES encryption.
In addition, the company said it is introducing new firewalls and intrusion detection technologies at the store and corporate level to "strengthen the segmentation of payment information."
Security experts say that last bit is a critical step because the internal networks of many businesses are, to borrow a quip from security pioneer Bill Cheswick, a lot like a candy bar -- "crunchy shell around a soft, chewy center." That is, once the attackers (or insiders) gain a trusted foothold in the network, it's then trivial for them to hop around from one part of the internal network to the next.
Hannaford disclosed in mid-March that unknown intruders had planted malicious software on the point-of-sale systems at some 294 stores. That malware let the attackers capture card numbers and expiration dates as the data was en route from the point-of-sale terminals to authorize transactions from shoppers. A similar case was reported a couple of weeks later by Okemo Mountain Resort, a skiing destination in Vermont.
Avivah Litan, a security and fraud analyst with Gartner Inc., said network segmentation is a perfect example of a vital security component that is not spelled out in the payment card industry (PCI) standards required by MasterCard, Visa, and the card associations.
"If you read the standards, you'll see they were written for e-retailers," Litan said. "The PCI standards don't recognize that there's no good reason for a company's stores to be able to talk to one another when it comes to [processing] card data. The fact that malware was spread across almost 300 stores shows there wasn't good network segmentation in place at Hannaford."
I speculated earlier this month that the Hannaford incident may presage a trend. I'm sticking by that prediction for one big reason: Fewer retailers are storing customer payment data, and those that do are encrypting it, as they should. Consequently, the attackers increasingly are going after the data in transit, another area of security not well-specified in the payment card standards (e.g., there's nothing in the PCI rules that says companies have to encrypt sensitive data when it's flowing across their internal networks).
Some experts have speculated that the Hannaford breach was the work of a former or current employee. While Hannaford won't provide that level of detail on the breach due to an ongoing law enforcement investigation, the insider threat makes an even stronger case for retailers going beyond the PCI standards. If your network isn't properly segmented, and payment card information is sent in the clear over internal networks, it's game over if there's a crooked insider in your midst, said John Nicholson, a senior associate at Pillsbury Winthrop Shaw Pittman LLP.
Nicholson said many data compromises, particularly those perpetrated by insiders, are due to a lack of network segmentation and proper access controls.
"There are two groups in the security industry: people who sell security products, and those who do security within companies. The former tend to focus on the hacker threat, viruses and hackers. The people who really do security at the network level talk a lot about the threat that insiders pose, because once someone is inside your network, it's really easy to do bad things."
Hannaford's Homa said the company was certified in 2007 and again in early 2008 as PCI compliant. Granted, PCI compliance is more of a snapshot in time than it is a guarantee that companies will always do the right thing from a security perspective. But what about the companies handling customer data that have not even met these basic standards yet?
According to stats released by Visa in January, nearly half of all Level 2 merchants - those that process between one and six million transactions a year - are still not PCI compliant. Roughly 77 percent of Level 1 merchants (more than six million transactions / year) are in sync with the standards, Visa said. Slightly more than half (54 percent) of e-commerce-only merchants were certified as PCI compliant in January.
By Brian Krebs |
April 23, 2008; 5:40 PM ET
From the Bunker
Previous: Badware Threat Changes Apple's Tune on Safari |
Next: Hundreds of Thousands of Microsoft Web Servers Hacked
Posted by: LonerVamp | April 23, 2008 6:03 PM
so it's the media's fault? should there not be a discussion about how to raise the "lowest bar" as you say? sounds like it sure is time to do that.
Posted by: ahh | April 23, 2008 7:16 PM
This kind of stuff is a serious problem. I just keep getting younger & better looking in my picture on the WaPo site. LOL
Posted by: brucerealtor | April 24, 2008 3:23 AM
Hannaford is not holding back on releasing more information about the attack because of "on-going legal investigation". Which, by the way, may be "on-going" but they will end up nowhere, or at the doorstep of some low-level bad guy. Hannaford is holding the information back because that is just the way the game is played, at all times, and in all data breaches. And they will sit on it forever because their lawyers will tell them to do so.
Welcome to the INFOSEC world. This lack first hand knowledge of how these attacks happened, are happening, and may be happening in the future, was a constant refrain at RSA 2008. Top researchers operate in a world of half assed media reports (yours excepted Brian)rumors, gossip, and NDA agreements. Imagine if this was a real-world viral outbreak and the company in question said sorry, can never share with researchers the dynamics of the outbreak?
I live in Maine and work in INFOSEC. I have been interviewed, and briefed by the media in this case. I am up, relatively speaking, on the SPECULATED fact pattern in this case. There a lot of vital questions that we are never going to get the answer to. That is just the way it is. And will continue to be until reporting of this information (think SAR that the Fed requires) is mandated. And I am not holding my breath for that to happen.
Posted by: jonst | April 24, 2008 8:46 AM
Yikes. This story is one of the reasons why my husband and I are leaning towards going back to paying for more of our purchases with cash.
Posted by: Heron | April 24, 2008 9:07 AM
If the Primary Account Numbers are kept from entering the POS and Tokenization technology is used to replace real card data, the threat of future data theft from the system is effectively eliminated. This technology is available and would greatly benefit Hannaford Brothers going forward. Compliance with PCI is a great place to start, Real Security is a great place to end up.
Posted by: Randy Carr | April 24, 2008 2:44 PM
As more stories like this unfold, the questions on the minds of data security professionals are "How do I mitigate the risk of data loss in general?" and "How do I prevent this type of loss (insider attacks, data transmissions or storing sensitive information) in particular?"
The answer to both questions is to keep your data out of a position where it's vulnerable to theft or other loss by protecting it, everywhere. In this particular incident, the real sin committed was not the loss of the data itself, but rather the fact that the company passed the PCI standards, thus thinking they were protected. The comfort in the compliance was the great downfall; they lost sight of what is really important...protecting the data itself. Why take unnecessary risks when solutions exist to completely eliminate this type of exposure?
There are technologies specifically developed to secure the data itself for transport, storage or backup. A strong encryption solution coupled with network security solutions will protect the data itself and keep hackers out of the network. Also, with the new advancements in Policy and Key management solutions, organizations can encrypt all of their data as it travels the network, end-to-end. With these solutions in place, the data is securely transported electronically, drastically reducing the chances of being stolen; and because the data is encrypted, it is useless to anyone except the intended recipient.
Posted by: Gregg Shupe | April 25, 2008 8:21 AM
We have always compared the PCI Standard to Alcoholics Anonymous, both are 12 step programs with no certainty of success. I applaude what Hannaford is doing as they just laid the 800 ton elephant on the table.
Posted by: IM Ariot | April 25, 2008 1:41 PM
I am intimately familiar with recovering from a break-in at a large retail organization. Although there are technologies recently available (e.g. "tokenization" of PAN) to remove card data from the authorization processes within retailers systems and networks, this technology doesn't work very well with legacy systems (and the entrenched IT departments that support them) used for settlement, sales audit, loss prevention and consumer marketing systems, among others, that historically rely on this data. All of these systems and the business processes that rely on them also have to be re-engineered at a not insignificant cost.
There are NO simple solutions, fixing this problem is complex and requires change to existing business process and can even require a shift in corporate culture, it's not simply a technology issue.
Posted by: G_Lamont | April 25, 2008 6:27 PM
Greg S,
How in the world do you make all these assertions in your comments about what Hannaford did, or did not do. And what the reason things went wrong? How do you know anything without knowing the underlying facts of the attack? Amazing...
Posted by: jonst | April 26, 2008 10:00 AM
jonst,
I agree, there is not enough information out there, about the Hannaford security breach to Monday morning quarterback. I am attempting to highlight an issue that companies who are using the network to protect the data are not paying attention to the data itself. While we don't need to know the exact details of the breach in the Hannaford case, all we need to know is the data was not protected. If companies would place their efforts on protecting the data, via encryption or any other method, rendering it useless to all unintended recipients, those companies would find themselves with a huge competitive advantage and customer loyalty.
Posted by: Gregg Shupe | April 29, 2008 12:26 PM
I found out by accident today that my Mastercard account was "compromised" and I will be receiving a new card/account by mail. The HSBC customer service rep mentioned Hannaford as the possible point of compromise, but had no other information. Since I'm not a customer of that supermarket, there must be yet another incident which has not been reported. Has anyone heard of other recent credit card security breaches?
Posted by: bstall | April 29, 2008 4:18 PM
Post a Comment
We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.
User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.
First, of course the CIO is going to shift blame if he sees the opportunity. It was only a matter of time for a compliant company was hacked and then upped the ante by saying "we're now installing military-grade crap..." What else will an exec say? Some will accept their licks, but the vast majority have to pass the buck somewhere, right or wrong.
Second, PCI is not a guarantee of security, no matter how often media wants to paint it like it is such. PCI is a means to raise the lowest bar; raise the lowest denominator, make sure companies are not *grossly* incompetent. Not only does PCI not guarantee security, but nothing does. An incident is an inevitability in an economic world. Again, the fault of most media, is to treat each incident like it was ultimately preventable. Sure, some mistakes are stupid and could have reduced risk, but nothing would eliminate it.