I live in Portland, Maine, the home base of Hannaford, a regional grocery chain. They are owned by Food Lion, headquartered in Charlotte, NC. In turn, Food Lion is owned by an international company in Belgium, Delhaize.
Just in case you were on a desert island, Hannaford reported a breach in their credit card transaction systems.
Unfortunately, they can’t give us very many details right now for a lot of reasons – but careful reading between the lines can give you a lot of information to draw your own conclusions.
First, they replaced the hardware, at all the store locations. That tells me that it was pretty bad, because if formating the hard drive was not good enough, they ditched the hardware, and that is not a cheap proposition. And they had to keep it quiet until they got all the hardware replaced, or risk being infected again.
Second, this was not an easy breach – they are saying that malware (probably a rootkit, so undetectable by AV) was installed on ALL their store servers – and that could make it a breach from an entirely different source OR an inside job.
When was the last time you could tell something was installed on your servers without Tripwire? Trying to track down when a change was made, and by who/what? Try finding that in your Event Logs from three months ago. Don’t have them? Start going through backup tapes – they are not having any fun.
Third, the malware was uploading information to a remote site in another country. The ONLY way I know to catch this is to monitor all outbound traffic through a central firewall/router. Not many organizations have started doing this yet – but I bet more will now. And what if they used encrypted traffic? You would still see it going through the firewall – but if it was being redirected, how could you identify it?
Fourth, the Feds had to keep this quiet if they were going to catch anybody – the minute it hits the news, the bad guys shut down.
In short, it’s equivalent to a robbery, not someone walking in through an unlocked door. Whoever did this had to work very hard to set it up. Very hard. Capturing streaming transaction data is not the same as cracking a WEP-enabled wireless network.
It’s true that many organizations are doing very poorly with information security, and we have gotten used to blaming bad management practices for breaches – but this is not one of them.