Sister CISA CISSP

Mar 31 2008   11:57PM GMT

Hannaford Is NOT The Bad Guy



Posted by: Arian Eigen Heald
Tags:
Data Breaches
Security

I live in Portland, Maine, the home base of Hannaford, a regional grocery chain. They are owned by Food Lion, headquartered in Charlotte, NC. In turn, Food Lion is owned by an international company in Belgium, Delhaize.

Just in case you were on a desert island, Hannaford reported a breach in their credit card transaction systems.

Unfortunately, they can’t give us very many details right now for a lot of reasons – but careful reading between the lines can give you a lot of information to draw your own conclusions.

First, they replaced the hardware, at all the store locations. That tells me that it was pretty bad, because if formating the hard drive was not good enough, they ditched the hardware, and that is not a cheap proposition. And they had to keep it quiet until they got all the hardware replaced, or risk being infected again.

Second, this was not an easy breach – they are saying that malware (probably a rootkit, so undetectable by AV) was installed on ALL their store servers – and that could make it a breach from an entirely different source OR an inside job.

When was the last time you could tell something was installed on your servers without Tripwire? Trying to track down when a change was made, and by who/what? Try finding that in your Event Logs from three months ago. Don’t have them? Start going through backup tapes – they are not having any fun.

Third, the malware was uploading information to a remote site in another country. The ONLY way I know to catch this is to monitor all outbound traffic through a central firewall/router. Not many organizations have started doing this yet – but I bet more will now. And what if they used encrypted traffic? You would still see it going through the firewall – but if it was being redirected, how could you identify it?

Fourth, the Feds had to keep this quiet if they were going to catch anybody – the minute it hits the news, the bad guys shut down.

In short, it’s equivalent to a robbery, not someone walking in through an unlocked door. Whoever did this had to work very hard to set it up. Very hard. Capturing streaming transaction data is not the same as cracking a WEP-enabled wireless network.

It’s true that many organizations are doing very poorly with information security, and we have gotten used to blaming bad management practices for breaches – but this is not one of them.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Benjaminwright215
    Arian: Hannaford and TJX were both victims of very sophisticated criminal gangs. The legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html --Ben
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: