As the rash of large data breaches and thefts continues unabated, it’s important to resist the urge to lump them all together. Not all breaches are created equal, and the latest one, at Hannaford supermarkets, illustrates this point perfectly. A lot of people are comparing the incident to last year’s breach at TJX, but the two stories have far less in common that it appears at first blush.
While both companies are retailers, the attacks on their systems look to have come from markedly different points. The folks who broke into TJX’s network did so by sitting outside one of its stores and capturing wireless network traffic. A simple, common attack. The details of the Hannaford incident are still pretty murky, but the language in the statement from the company’s CEO and other bits of data that have emerged today suggest that the chain may have been the victim of a man-in-the-middle attack. The company said that customer credit card and debit card numbers were stolen during the card verification process, meaning that there was a bad guy somewhere between the point-of-sale device that captures the data and the third-party system that verifies it and authorizes the purchase. This could be anything from a Trojan on Hannaford’s own network to a rogue employee of the grocery chain or its payment partners. It’s impossible to tell at this point.
The other key difference between TJX and Hannaford is that the thieves who attacked Hannaford didn’t bother messing with the customer database; they went straight for the highest value assets, the card numbers. The TJX hackers took customer Social Security numbers, addresses and other personally identifiable information, which is scarier to consumers. But many of the card numbers that were taken from TJX were obfuscated and so were of no use. The Hannaford attack looks much more like the work of professionals, which should be scarier for security staffs.