Lessons learned from Hannaford breach

As a frequent chronicler of data breach incidents it is my duty to chime in on the Hannaford Supermarket data breach incident.   There are two aspects of this and previous breaches that should be considered.  One aspect is best practices in disclosure; what should you do when your organization is the victim of data theft?  The other is the mechanics of the attack including the who, what, why, and where.

Just to get you caught up, here is the chronology of events.  On February 27th Hannaford was notified by FirstData, the massive credit card transaction processor, that there was unusual activity that could be tracked back to Hanneford indicating a likely theft of credit cards. 

By March 10th Hannaford says they had isolated and addressed the security problem and then disclosed on March 17th, the loss of 4.5 million credit cards. Only until their data disclosure responsibility was questioned by the State of Massachusetts did they reveal in a letter that extent of the intrusion. They had found Trojan software on servers in all 300 Hannaford stores.

Notice that the breach was discovered by FirstData, not Hannaford’s security team. This evokes memories of the other two massive credit card thefts in recent history. Both the theft at CardSystems International and TJX were discovered by the credit card associations.  This is pretty easy to do and thankfully these organizations are doing simple analysis of fraud reports.  Here is how it works.  Several dozen people report erroneous charges on their credit cards. Visa, Mastercard, or in this case FirstData,  just compare all the places those people shopped at in the previous couple of weeks.  If there is a common store among even a very small sample you have your source of leakage.  That the retailers are not aware of the breach is a very strong sign that they have inadequate security measures in place.

Note that CardSystems went out of business after their breach event.  TJX has set aside over $200 million to account for potential liability. In addition the FTC just announced a settlement with TJX that requires them to undergo a comprehensive security assessment as well as twice annual security audits overseen by the FTC for the next twenty years.  This is the same onerous penalty that the FTC slapped BJ’S Wholesale with in 2003 and I am sure Hannaford will eventually see similar sanctions.

Let’s look more closely at the methodology used in the Hannaford case.  There are various news reports that depict the management of Hannaford as confused and shocked at the “unique” use of Trojan Horse malware to steal information from them.  Trojan software is malware that is disguised as something else as it is installed on a remote computer. It can then be used to steal files, record keystrokes, even take over the computer.   Trojan Horses are the simplest way to infiltrate a network. They arrive as email attachments, can masquerade as PowerPoint presentations, and they can be easily modified to avoid detection by any signature based AV program. Trojans such as the Storm Worm are said to infect hundred’s of millions of machines on the Internet. The Haaphrati  Trojan was used to steal hundreds of documents from dozens of companies in Israel. A Trojan Horse was implicated in the CardSystems International case.  Hardware and software Trojans were used in the Sumitomo Bank heist .  And the Chinese Red Army has infamously used Trojan Horses to blanket the world in the most massive case of industrial espionage in history.   Any reader of my blog knows of the dangers of custom Trojans. 

Lessons learned from the Hannaford case?  That retail organizations are being targeted.  This attack appears to be almost complete and most likely emanating from overseas.  Being a target for attacks means a different different level of security preparedness is required.  Firewalls plus AV is not enough. Encryption is required - at rest and in motion.  Behavior analysis and alerting systems have to be in place.  Not IDS, but something that can detect when authorized insiders have changed their behavior.  Investment is required. 

To the executives of retail operations; answer this question:  Do you want to invest in security now or wait until after a major breach and you have the FTC breathing down your neck for the next eighty quarters?

Write me. Tell me what you think about data protection.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in