Hannaford Security Breach

We first discovered Hannaford in Western Mass. many years ago. We loved it immediately: they had the foods we wanted and their prices were better than the big name stores. We wished that they had a store near to us.

When we moved down to Middleboro two years ago we were delighted to find a Hannaford's here. It's a smaller store, but we find what we want and again the prices are good. We really like Hannaford.

Ah, but then this big credit card mess: New retail data breach may have affected millions of Hannaford shoppers. That's upsetting, and as Geeks Are Sexy pointed out the way Hannaford presented its response might indicate a weak IT department.

However, we don't even know if it really was a "data breach". If Hannaford doesn't have a strong CIO, I certainly don't trust that the President or VP of Marketing has any real clue as to what really happened. For all we know, this was an inside job: someone inside their data center could have passed credit card info out or arranged an open door. This could easily have been an "invitation" rather than a breach.

Hannaford's day of shame will pass. They'll hire a CIO or at least a good outside consultant and they will shore up their defenses. But what worries me is that there are a lot of "Hannafords" out there: companies who are large enough to have data worth stealing but small enough that they may not have good security controls in place. I could spit out a few dozen names without even thinking hard: you probably drive by many just like this every day. Small chains, often regional, competing hard against their national counterparts: how many do you think have strong IT departments? I'd guess that not many do.. and that worries me, particularly as we slide toward economic hard times: when the going gets tough, criminals have even more reason to look for prey, and isn't IT often quite vulnerable to layoffs and cutbacks? You betcha: the VP of marketing probably sees IT as mostly fluff anyway.. they don't bring in money, right?

My bet is that we'll see more of this.. unfortunately.

Click here to add your comments




Wed Mar 19 11:05:12 2008: Subject:   TonyLawrence


This morning we learn: http://www.thefreelibrary.com/Hannaford+Supermarkets+Installs+Rapid7%27s+NeXpose+for+Achieving...-a0149500021

Nexpose has already taken down its page bragging about that..



Wed Mar 19 13:03:57 2008: Subject:   BruceGarlock


We always shop at Hannaford, and found the same things; great choices at lower prices. We live right on the NH border, so we usually visit the Hannaford over the border in NH. My bank cut off my debit card. I went to use it to pay for gas yesterday, and it kept coming up with "Invalid Transaction" Another employee at the cashier desk quickly pointed out that she had this happen to several customers today, and was probably due to the Hannaford credit/debit card issue.

I guess I will have to make a trip to the bank until I get my new card. I looked on-line, and it did not look like anything was out of order with our account, so that is good news.

People really need to wake up to this stuff. How many times have you heard of some government employee taking their laptop home, filled with personal info, and SSN's. My sister in-law actually had her identity stolen, due to someone at the state level in CT, losing their laptop, with her and thousands of other citizens of CT SSN, and address on it.

I hope these people get a clue to something FREE, like True Crypt:

http://www.truecrypt.org/

It's free, does whole HD encryption, and virtually guarantees that information cannot be stolen without the secret passphrase. Why don't people use this stuff?



Wed Mar 19 13:34:18 2008: Subject:   BigDumbDinosaur
http://bcstechnology.net

Of course, what do you do about the fools who go home at night and leave their office PCs logged in? I have several clients where that sort of behavior is routine. The janitor could access the payroll, A/R or customer database. One shouldn't assume that the janitor is incapable of stealing information from a computer. The system is no more secure than the individuals using it.



Thu Mar 20 23:00:10 2008: Subject:   drag


Attrition.org has a amusing page on the Rapid7 thing, including shots of the website before and after. They also have a rebuttal posted from Rapid7 linked to the following page.
http://attrition.org/security/rant/z/rapid7.html

Attrition.org may not seem like much from their website, but they do a lot of good (in terms of information security) by doing things like running various mailinglists and backing the OSVDB. Right now their latest thing they are attempting to do is create a _accurate_ database of dataloss incidents. They've been up to it for a while now and it's amazing how much they have been able to collect. They are looking for more volunteers, though.

You can find it at http://attrition.org/dataloss/

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.