The fallout over the data breach at Hannaford Bros. continued Wednesday, as Massachusetts officials suggested the supermarket chain was too slow in disclosing the incident and one of the retailer's security vendors went on the defensive.
Officials suggested in published reports that under state law, Hannaford should have notified the Massachusetts Office of Consumer Affairs and Business Regulation as soon as the company became aware of it. As of Wednesday afternoon, the consumer affairs office had yet to receive the official notification. The law took effect last year in the wake of the massive data breach at Framingham, Mass.-based TJX Companies Inc.
The Maine-based supermarket chain revealed Tuesday that it first detected something amiss three weeks ago but that it stalled its disclosure until it could gather more information for customers. In any event, The Boston Globe reported, Hannaford's may not have been bound by the law because only credit and debit card numbers were compromised, not personally identifiable information such as Social Security numbers, names, addresses and account numbers.
Meanwhile, Hannaford's network security vendor, Boston-based Rapid 7, has come under fire from the Attrition.org website for its apparent attempt to wipe all mention of Hannaford's from its site, even though the company made plenty of public relations hay out of the relationship when it first secured Hannaford's as a customer.
In a phone conversation Tuesday, David Precopio, vice president of marketing and business development at Rapid 7 said the breach would not have been picked up by its scanning appliance, NeXpose. Hannaford installed the network scanner in 2006.
"We were 100% assured today that our system had nothing to do with the breach or anything that NeXpose could have scanned," he said. "This wasn't an issue with scanning performance."
Precopio said Hannaford renewed its support license two weeks ago. The Nexpose scanner scans all network systems, from laptops to databases.
"The Hannaford case was something outside the reach of what our product would scan for," Precopio said, adding that the scanner doesn't monitor Internet traffic handled by an ISP or other services that may have been VPNed in. A network configuration issue also would be overlooked, he said. To cover those security gaps, companies should turn to gap analysis tools or penetration testing, he said.
"This demonstrates that there are a lot more targeted attacks out there and the targeted attacks have a high monetary risk," Precopio said.
Investigators could also be looking at WebSphere MQ, which is used as a network-messaging carrier for sensitive applications such as ATM and credit card transactions. Hannaford installed WebSphere MQ as part of a server consolidation project and strategy to connect its systems in a service-oriented architecture. But recently security researchers have been looking at the implementation complexities of WebSphere MQ and the risks it introduces.
John Yeo, a security consultant with UK-based Information Risk Management, said demanding requirements from business units often leads to insecure implementations. Put simply, traffic could be exposed through misconfiguration issues when WebSphere MQ was installed and maintained. Security consultants recently told SearchSecurity.com that misconfigured networks are a growing problem that poses a bigger threat than the software vulnerabilities that typically gain all the attention. The problem runs the gamut from mismatched applications and hardware, security systems that are put in place but not regularly maintained to wireless access points that are opened with no defenses attached, according to IT consultants who have seen the problems first hand.
Yeo said traffic using WebSphere MQ could be exposed through traffic sniffing, allowing an attacker to read sensitive financial account data and transaction details. By default the traffic is unencrypted. Queue managers are also often misconfigured allowing a user to read and write messages to message queues.
"Reading messages from the application's message queue will expose customer and financial account data," Yeo said in a research report, "WebSphere MQ Threats."
Application design flaws and poor encryption technologies could also contribute to traffic being exposed via WebSphere MQ.
"Due to the types of data typically transported by WebSphere MQ – confidential business intelligence or B2B transaction logs, the endgame scenario is not necessarily a full system compromise; unauthorized read access to the messages may have equally adverse consequences," Yeo said in the research report.
Senior News Writer Bill Brenner contributed to this report.