Hannaford Data Breach: An Inside Job?Investigators Search for Clues About Compromised Systems and Impacts on Merchants, Financial Institutions
Yet, the banking/security industry continues to discuss the attacks, though, and there the fearful question is: How did it happen - and what's the potential impact on us?
According to spokespeople from Okemo, its systems were breached by an outside party for a 16-day period between February 7 and February 22 of this year. During the investigation, the forensics expert hired by Okemo found that card information also was taken for cards used at the resort during a three-month period between January and March 2006. In total, credit card numbers from more than 52,000 transactions were taken.
Okemo's security breach, on a smaller scale than Hannaford's (where more than 4 million cards were compromised), appears to have some similarities, as it involved infiltration of "real-time" data. The Okemo attack was designed to capture magnetic strip Track 1 and Track 2 data from credit cards as the cards were swiped through serial devices at point-of-sale terminals. These tracks usually contain the cardholder's full name, primary account number, expiration date, card verification value and an encrypted PIN. The one difference is Track 2 doesn't have the cardholder's full name.
With the revelation in the Hannaford case that malware made it into the grocer's networks, "It looks like there is more to the story - with malware planted inside stores," says Avivah Litan, Distinguished Analyst at Gartner Group, a Stamford, CT-based research firm. Whether it was an insider job or the work of a very clever outsider has yet to be revealed, she says.
The Impact on PCI Compliance
How does the news of these breaches affect other retailers' sense of urgency to get PCI compliant?
Nick Holland, Senior Analyst at Aite Group, a Boston, MA.-based financial services research firm, sees this as an opportunity for educating the merchants that card data security is not optional. He says while many big retailers are "universally aware" of PCI compliance, as well as the shift in security requirements to the point-of-sale level over the next several years, he suspects the issue will continue. "The 'little' retailer just doesn't think it will happen to them," Holland notes.
When looking at the Hannaford breach, one assessor told Litan that the PCI standard wasn't written to fight malware. But upon further examination, she and the assessor found that part of the PCI standard calls for penetration tests once a week. "So if everything else had failed, then the penetration testing should have uncovered the malware," Litan explains.
The problem likely isn't with the PCI standard, Litan says. "But actually the data should be encrypted before it gets into the system." Litan recommends that card-accepting merchants handle card data as little as possible, and encrypt it as early as possible. She says they should consider solutions from vendors that enable encryption at the card reader, before the card data enters the system. "They should ensure that the point-of-sale network is adequately segmented and that privileged users cannot access sensitive authentication data (except under narrowly defined circumstances during testing and development)."
At this point, it is too soon to know whether Hannaford was compliant to the Data Security Standards at the time of their breach, says Bob Russo, general manager, PCI Security Standards Council. "A report on compliance from an assessment is simply a snapshot in time. Following that assessment, organizations must be vigilant to ensure that they stay in compliance," Russo says. Businesses have to remain focused on data security at all times, not just when they know that they will be assessed. "The Council will keep monitoring the situation, and if we find something that needs to be addressed within the DSS, we will act on it immediately," Russo says.
David Taylor, President of the PCI Security Vendors Alliance, says while being PCI-compliant -- as may or may not be in the case of the Hannaford Brothers breach -- it does not give other retailers the excuse to not strive toward compliance. "'How can I get away with not spending any money?' is what other retailers are thinking after the Okemo and Hannaford breaches," Taylor says.
For retailers, Taylor says it is clearly not business as usual. "I'm hearing from Level 2, 3 and 4 retailers that they are taking it seriously. One retailer said to me recently that they're doing it because 'of the breaches,' or 'the boss doesn't want to go to jail,'" Taylor says, adding that at the recent RSA conference he did a mini survey of vendors and asked whether they were seeing PCI as a driver for their business. The unanimous response was "Yes."
The Impact on Financial Institutions
Taylor sees the financial services industry taking a lot harder look at their vendors and service providers. "It's more of a sense of finding the weakest link -- banks are no longer accepting a letter or SLA (service level agreement) as a guarantee of data security," Taylor says. More institutions are asking for their own audits performed by independent auditing groups, he says.
The thought of another breach striking a retailer should strike fear into everyone, says Litan. She suggests that maybe these breaches will serve as a wake-up call for everyone, including financial institutions. Moving toward a card system such as European countries have with a chip and PIN technology, or possible one-time use passwords could be looked at by card issuers. "If more of these breaches happen, banks will wake up and do something," Litan says.
The prohibitive cost of reissuing new cards is a hurdle no institution wants to approach, but Litan suggests bank card issuers could pass the cost of reissuing the cards to the consumers. They could charge it as a security fee, which most consumers would want to pay for a safer card. "A five-dollar security fee would not be minded, considering all the other fees they pay," she says.
The fear from consumers will eventually subside, says Aite's Holland. He sees these breaches resulting in some "isolated scaremongering" for users of the supermarkets/ski resort, and possibly some short term damage to brand reputation. "But these will probably quite quickly fade from memory," Holland says.
One thing that everyone can be certain of -- there will be more breaches. "They will inevitably be on the way," Holland says. But he's not sure what it would take for public trust in card payments to be irreparably damaged. "A Starbucks being breached? Wal-Mart? McDonalds?" To get the attention of retailers on this issue Holland sees a complete ban on card usage would send out a "pretty strong signal," but he doesn't see any card network actually going to that extreme because it would directly impact its revenue stream.