Wednesday, March 19, 2008

Security vendor removes Hannaford as a client on their site after data breach is revealed!

I ran into an interesting development in the Hannaford data breach on geeksaresexy.net. Allegedly, their IT security vendor of choice (Rapid7) decided to disavow all knowledge of their relationship with Hannaford right after the breach was made public.

From the blog post on geeksaresexy.net:

Instead, Rapid7 scrubbed all mentions of Hannaford from their client list. Rapid7 obviously didn’t want to be associated with one of the largest data loss incidents in history, and they certainly didn’t want to sully the name of their flagship appliance, the “neXpose” which is a vulnerability scanning device.

This information is from Attrition.Org, an online security community that has been around since the predawn of the dot-com boom. They have an outstanding article, with screenshots here, where they are much less kind to Rapid7 in light of their cowardly actions.

Atttition.org is one of the trusted sources on data breaches, so I decided to see what they had found:

You are a security vendor. You sell the mightiest security doohickey the world has ever seen. It does it all, including "...ensuring your network is safe from hackers..." and amazingly it "...scans for Web site and database vulnerabilities that hackers can use to capture credit card information without you being aware". Since your doohickey does what no others have ever successfully managed to do, you can tout your client list proudly, and pimp your customer implementations liberally.

Attrition.org did an excellent job showing (complete with compelling screenshots) how Rapid7 removed all the information on the Internet showing they were Hannaford's cyber-guardians.

To see all the evidence, which is convincingly presented on Attrition.org, I've provided a link:

Abandon Ship! Data Loss Ahoy!

As of this writing, Rapid7 has replaced the information on their site showing Hannaford as a client.

I decided to run a query on Google News and discovered that so far the Boston Globe is one of the few mainstream e-rags reporting this so far.

The Boston Globe was able to get a comment from the marketing VP at Rapid7. Here is the "official explanation" from the article:

Was it damage control? Embarrassment about being linked to the breach? An admission that its software failed?

A Rapid7 executive says none of the above.

David Precopio, the company's vice president of marketing, said Hannaford asked Rapid7 to remove its name from the site once the data breach was made public. But after some sharp-eyed observers spotted the deletion (including the security website attrition.org) Precopio said Rapid7 asked Hannaford to let it repost the company’s name.

The Boston Globe was unable to get a comment from Hannaford about this matter.

I guess I'll have to leave it to the reader's imagination what the true intention in all of this was?

No comments: