Tuesday, March 18, 2008

Hannaford Brothers data breach might reveal current security standards are outdated

Hannaford Bros. Co., a grocery retailer based in the Eastern United States is the latest corporation to be victimized by a substantial data breach. Saying that, customers of Hannaford Bros. are going to be victimized, also. So will a lot of financial institutions, who have to deal with the fraud claims and trying to prevent the information from being used.

Whenever a data breach of this magnitude occurs, there are a lot of victims.

This breach occurred despite that fact Hannaford Bros. had met the payment card industry (PCI) standards for data protection and were not using wireless technology to transmit unencrypted data. Both of these factors were said to have caused the now infamous TJX breach, where approximately 98 million records were compromised.

This time only a reported 4.2 million records have been stolen, but it's still early in the game and historically these estimates tend to blossom with time.

A press release from Hannaford revealed that no personal information was stolen in this occurrence and that only payment card (credit/debit) card numbers are at risk.

Additionally, there have been 1800 reported cases of fraud tied into this data breach thus far.

Today, the AP was able to get a comment from their corporate headquarters:

It was during the card approval process that more than 4 million customer accounts at grocery stores in the Northeast and Florida were exposed to fraud, even though the company meets the latest standards for data security, a spokeswoman said Tuesday.

Hannaford Bros. Co. doesn't yet know how the breach — which began Dec. 7 and ended March 10 — occurred, said Carol Eleazer, vice president of marketing for Hannaford, based in Scarborough.

About 4.2 million credit and debit card numbers were exposed and at least 1,800 stolen during the seconds it takes for that information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines, Eleazer said.

Brian Krebs of the Washington Post, who does the Security Fix blog quoted an industry expert, Bryan Sartin at Cybertrust as stating:

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.
If the theory in Security Fix is pans out (probably will), some precedents might exist for the basic method the hackers used. The incidents, I will reference don't sound as sophisticated as what Mr. Sartin is describing, but they happened about a year ago and hacking methods tend to mature with age.

Stop and Shop was the subject of a data breach a little over a year ago. In this case, PIN pads were being replaced with "look-alike" devices that captured all the payment card details. This hardware was later removed to download all the information that had been captured when unsuspecting customers swiped their cards.

Shortly thereafter, another compromise of this type was reported in Edmonton, Canada. In this case, a blue tooth device was used to transmit the information to a waiting car in the parking lot.

The trend with PIN pad replacement continued with a smaller breach at a grocer in the San Francisco Bay area, Albertsons in April of 2007. At the time, I had the pleasure of speaking with Blanca Torres, who was doing an article on the story.

Interestingly enough, up North in Canada, where payment card skimming has increased six-fold in recent years, an announcement was made that they plan to introduce a smart card. This technology, which is known as "chip and PIN" is already in use in Great Britain and France.

The AHN story about this by Vittorio Hernandez included (what I consider) a sage comment:

But Peter Woolford of the Retail Council of Canada is wary that although the smart cards appear to be effective in reducing incidents of fraud, sinister minds may one day find a way to hack the smart chips. "Anything the human brain puts together, another human brain can take apart," Woolford pointed out.
Sadly, once this all pans out, it will likely reveal that PCI data protection standards can and will be compromised in the future. The reason, I say sad is because a lot of retailers have spent a lot of money becoming compliant.

Throw in all the finger pointing and litigation between the different parties in all these breaches and I fear we're going to be fighting a very costly battle over what is becoming a too common item in the news.

I'll sum this post up with a rant, I wrote when the TJX breach was attracting a lot of attention:

While everyone sues TJX, the criminals are laughing all the way to the bank

Press release from Hannaford about the breach, here. They list a telephone number on it, where more information can be obtained if you think you've become a statistic.


Anonymous said...

Having followed this type of thing for the last several years, I now tell people DO NOT USE anything besides CASH or checks. All computers are designed by people who are driven to make it cheaper and faster, NOT for security. USE CASH as much as you can.

michael webster said...


It would be very helpful to have a list of things to do when you believe that your privacy has been compromised.

Got any suggestions.


Benjamin Wright said...

Ed: Legally speaking, we can't expect the PCI to keep pace with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. --Ben