Mar 18 2008

Hannaford Brothers hacked, but there’s a silver lining

Published by at 5:47 am under Hacking,PCI

A grocery store chain of about 1500 stores, Hannaford Brothers and Sweetbay, reported on February 27th that they’d been compromised and 4.2 million credit card and debit card numbers had been stolen. While the details in the InfoWorld article are scarce, one interesting factor of this compromise is that the card data was stolen in the authorization phase of the process. This means the attackers either compromised a border system responsible for the authorization or they compromised the network itself and were able to capture authorization traffic directly. These are the only two places credit card data should be appearing unencrypted.

There has been some identity theft associated with this compromise, but here’s the silver lining: Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses. This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have a record of every embarrassing purchase you’ve ever made. The downside to this lack of association between card numbers and cardholder names is that they have no way of knowing who should be contacted in the breach. I’m not sure if that will absolve them of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either.

I’m glad to hear that at least one company has disassociated the data in this way, making it harder on the attackers. I can only assume that this is because the chain is owned by a Belgium company; the European laws concerning privacy and the data collected on customers is much stricter than anything we have in the US. What I’ve chosen to view as a bit of forward thinking by an American grocery chain may be nothing more than an attempt meet with European Union laws. In either case, it’s to the benefit of Hannaford Brothers’ and Sweetbay’s customers.

6 responses so far

6 Responses to “Hannaford Brothers hacked, but there’s a silver lining”

  1. EJon 18 Mar 2008 at 9:46 am

    So I’m hoping that if they reported it on 2/27 then they had it all under control by then. I never typically shop at Hannaford’s, but I stopped in March 7th to pick up a few sundries while out and about. Sounds like I dodged a bullet.

    And if the attackers are listening, I bough croƻtons. ;)

  2. Benjamin Wrighton 18 Mar 2008 at 10:09 am

    Martin: Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a “data security breach” worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.)

  3. David Navettaon 18 Mar 2008 at 12:30 pm

    This perfectly illustrates how the ambiguities of the PCI can get you into big trouble. The legal implications of giving a stamp of PCI approval based on a loose interpretation of PCI are enormous (you can read more here at my blog, I am an infosec attroney: http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html)

    Anyway, in this case if the ambiguity is in section 4.1 of the PCI Standard, which requires “Encrypt transmission of cardholder data across open, public networks” and also states “Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit”

    Examples are provided, the Internet, WiFI, global systems for mobile communications and GPRS.

    So the question is, does this include open “internal” networks of a merchant that may be “easy and common” for a hacker to intercept.

    If all of the supposition is true, it appears that Hannaford (or its Qualified Security Assessor) interpreted this to mean only “public” networks like the Internet…

  4. [...] Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach. [...]

  5. Joshua Gruberon 21 Mar 2008 at 4:56 pm

    This makes me sad in part because Hannafords makes a point of not forcing customers to join a club and give them loads of personal information to be tracked in order to get discounts.

  6. anonymouson 22 Mar 2008 at 2:48 pm

    You bring up an interesting point. But that is only if the attackers got into a database at Hannaford. Since it was during the auth process, that seems highly unlikely – and what may have happened may be a sniffer in action. Sniffing just the initial part of the POS messages should give the account number and expiration date only with no names. Lets not give credit to Hannaford till we know what happened. But I do agree with your silver lining theory _if_ we can find store, that is!

    Check out my theory at http://securitycoin.blogspot.com/2008/03/hannaford-supermarkets.html

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: