Malware Brought Hannaford Down!

It???s been widely reported today that the source of the recent massive credit card theft at the Hannaford and SweetBay grocery chains was a pervasively installed piece of malware.The finding was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick's Office of Consumer Affairs and Business Regulation. According to Hannaford's general counsel, the malware recorded the "track 2" data stored on the magnetic stripe of credit/debit cards as customers used them at the checkout counter. This magnetic stripe data includes the card's number and expiration date, but not the customer's name.

The data was taken "in transit for authorization from the point of sale," the letter states, meaning as it was transmitted from the cash register to one of the institutions that Hannaford uses to process transactions.

The disclosure also stated that the malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider.

According to Hannaford, not only is the company fully compliant with the PCI-DSS credit card protection standard, but it passed an audit as recently as late February! This is clearly a nightmare for the major credit card companies. There's already a perception that the standard itself is garbage, and news like this further validates that contention.

But I always approach these problems from a security admin perspective; so what can we learn from this?At the risk of sounding like a shill for security vendors (I'm not), if I were responsible for the safety of millions of credit card records, the first thing I'd be doing is unleashing a network behavior analysis tool so I can closely watch who's accessing the hosts on my network that hold the sensitive data. With an NBA tool, you can easily detect and report on what hosts your critical servers are talking with at any time, as well as what sort of traffic is being sent. This is the sort of forensic data that you get from tools in the NBA/IDS space, and it's almost a critical tool now for organizations that are holding critical customer or employee data.

This is a reminder to all security admins: DON'T FALL ASLEEP IF YOU'RE RESPONSIBLE FOR THE SECURITY OF CREDIT CARD DATA. Fight for the tools you need to protect your data, because one thing is for sure: If a TJX-like attack happens at your company, management will want to know why you didn't stop it.