Hannaford Brothers data breach might reveal current security standards are outdated

Hannaford Bros. Co., a grocery retailer based in the Eastern United States is the latest corporation to be victimized by a substantial data breach. Saying that, customers of Hannaford Bros. are going to be victimized, also. So will a lot of financial institutions, who have to deal with the fraud claims and trying to prevent the information from being used.

Whenever a data breach of this magnitude occurs, there are a lot of victims.

This breach occurred despite that fact Hannaford Bros. had met the payment card industry (PCI) standards for data protection and were not using wireless technology to transmit unencrypted data. Both of these factors were said to have caused the now infamous TJX breach, where approximately 98 million records were compromised.

This time only a reported 4.2 million records have been stolen, but it's still early in the game and historically these estimates tend to blossom with time.

A press release from Hannaford revealed that no personal information was stolen in this occurrence and that only payment card (credit/debit) card numbers are at risk.

Additionally, there have been 1800 reported cases of fraud tied into this data breach thus far.

Today, the AP was able to get a comment from their corporate headquarters:

It was during the card approval process that more than 4 million customer accounts at grocery stores in the Northeast and Florida were exposed to fraud, even though the company meets the latest standards for data security, a spokeswoman said Tuesday.

Hannaford Bros. Co. doesn't yet know how the breach — which began Dec. 7 and ended March 10 — occurred, said Carol Eleazer, vice president of marketing for Hannaford, based in Scarborough.

About 4.2 million credit and debit card numbers were exposed and at least 1,800 stolen during the seconds it takes for that information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines, Eleazer said.

Brian Krebs of the Washington Post, who does the Security Fix blog quoted an industry expert, Bryan Sartin at Cybertrust as stating:

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.

If the theory in Security Fix is pans out (probably will), some precedents might exist for the basic method the hackers used. The incidents, I will reference don't sound as sophisticated as what Mr. Sartin is describing, but they happened about a year ago and hacking methods tend to mature with age.

Stop and Shop was the subject of a data breach a little over a year ago. In this case, PIN pads were being replaced with "look-alike" devices that captured all the payment card details. This hardware was later removed to download all the information that had been captured when unsuspecting customers swiped their cards.

Shortly thereafter, another compromise of this type was reported in Edmonton, Canada. In this case, a blue tooth device was used to transmit the information to a waiting car in the parking lot.

The trend with PIN pad replacement continued with a smaller breach at a grocer in the San Francisco Bay area, Albertsons in April of 2007. At the time, I had the pleasure of speaking with Blanca Torres, who was doing an article on the story.

Interestingly enough, up North in Canada, where payment card skimming has increased six-fold in recent years, an announcement was made that they plan to introduce a smart card. This technology, which is known as "chip and PIN" is already in use in Great Britain and France.

The AHN story about this by Vittorio Hernandez included (what I consider) a sage comment:

But Peter Woolford of the Retail Council of Canada is wary that although the smart cards appear to be effective in reducing incidents of fraud, sinister minds may one day find a way to hack the smart chips. "Anything the human brain puts together, another human brain can take apart," Woolford pointed out.

Sadly, once this all pans out, it will likely reveal that PCI data protection standards can and will be compromised in the future. The reason, I say sad is because a lot of retailers have spent a lot of money becoming compliant.

Throw in all the finger pointing and litigation between the different parties in all these breaches and I fear we're going to be fighting a very costly battle over what is becoming a too common item in the news.

I'll sum this post up with a rant, I wrote when the TJX breach was attracting a lot of attention:

While everyone sues TJX, the criminals are laughing all the way to the bank

Press release from Hannaford about the breach, here. They list a telephone number on it, where more information can be obtained if you think you've become a statistic.

Another sad statistic, the Stop and Shop data breach

Last weekend, Stop and Shop (Quincy, MA) reported a data-breach at two of their stores in Rhode Island. After an initial investigation, they tracked the theft to two pin-pads.

Consumer Affairs has the most informative story (my opinion) on this current breach. They are reporting that with the assistance of the Secret Service, four more compromised pin-pads have been identified (all in the Rhode Island area).

Martin H. Bosworth makes an interesting point in his article that the United States hasn't been as proactive as our European friends in instituting new technology to stop debit/credit card fraud, such as chip and PIN.

Of course, implementing PCI data protection standards are not exactly 100 percent, either.

PCI data protection standards were implemented by the payment card industry, and even when they are violated, the only consequence seems to be that the merchant will be fined. The standards are designed to stop merchants from storing information they aren't supposed to.

Consumer Affairs story, here.

Of interest (in this case) is that (it appears) PIN pads were tampered with inside the stores, which makes me wonder if there is some sort of inside connection?

Tom Fragala (CEO, Truston Identity Theft Services) did a recent post on his blog, where he linked to a video on how easily a remote ATM machine can be compromised in a store, here.

Of note, Truston is the only service for victims (that I know of), where someone doesn't have to submit all their personal information to a database, which could be compromised, also.

This is a good video, but note the ATM was in a pretty concealed area, and I'm guessing that these pin-pads were in the check out lanes in stores?

Attrition.org and PogowasRight provide information on data breaches (frequently updated), here.

Someone should start a chronology of how many of the people stealing this information get caught. Unfortunately, the list wouldn't be very long.

*(Update): I must have missed that Attrition.org is recording arrests, but the results are not encouraging.

The most recent news about legislation to protect the people being victimized by this growing problem isn't good.

A recent article by Scott Bradner (Network World) about how special interests are preventing the passage of any meaningful legislation argues this point, eloquently:

The Leahey privacy bill: coddling the criminals?