Saturday, March 29, 2008

How did hackers plant malware at Hannaford Bros. and steal 4.2 million payment card numbers?

Hannford Brothers, the latest retailer to be compromised in a large scale data breach is reporting that hackers using malware breached their systems.

The next million dollar question (literally) is how was the malware (sometimes referred to as crimeware) dropped on their system? A lot of people are looking at this carefully because the company had been certified as meeting PCI (Payment Card Industry) data protection standards.

Ross Kerber at the Boston Globe, who gets the hat tip for breaking this latest development in the story wrote:

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.

In contrast, Hannaford says it did not store customer information. The hackers who struck Hannaford mined a stream of data that the merchant and banks were not responsible for protecting under industry rules, industry specialists said.
Because hackers, criminals and misfits rarely give up their latest hacks, we'll have to be content with speculation from the experts.

Jaikumar Vijayan at ComputerWorld was able to get some expert speculation from "Mike Paquette, chief strategy officer at Top Layer Networks, a vendor of intrusion-prevention systems in Westboro, Mass." Bill Brenner at SearchSecurity.com wrote about increasing speculation that a dishonest insider planted the malware on Hannaford's network.

The insider theory intrigues me because it seems that most security breaches can be traced to a social cause. A dishonest human --who has been given access to a system -- can defeat a lot (most) computer security.

Going further into all the speculation has come about from the Hannaford announcement, I decided to see what the blogosphere had to say.

Securosis.com gives a lot of interesting perspective in their post, Picking Apart The Hannaford Breach- What Might Have Happened .

The post points out some interesting thoughts, such as that credit card numbers are useless without names (Hannaford claims no names, or social security numbers were stolen) and that the breach was most likely discovered at financial instiutions when customers complained about fraudulent transactions on their cards.

rmogull summed up his "admitted" speculation with:
In conclusion, it looks like some sort of a network breach (which could be anything from phishing/malware to compromise from a retail location to a full network hack). A sniffer was possibly installed, since it seems they don’t keep credit card information (again, assuming statements are true). The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain. Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part.
There are also some interesting comments with more speculation at the bottom of the post. From what I can gather a lot IT types read this blog.

In the end, as long as there is lack of transparency in data breaches, the best anyone can do is speculate. The reasons for a lack of transparency in data breaches are a mile long, encompassing everything from protecting ongoing investigative efforts to avoiding the financial pitfalls of all the litigation that arises after a data breach.

Of course, in more simple terms, it might also mean that no one is really sure?

Given that, I wonder if anyone can be really sure that their personal information is safe? Your guess is probably as good as mine!

Previous posts on this blog about the Hannaford Data Breach:

Security vendor removes Hannaford as a client on their site after data breach is revealed!

Hannaford Brothers data breach might reveal current security standards are outdated

No comments: