It's increasingly likely that a trusted insider with administrative network access was behind the Hannaford Bros. data breach, security experts said Friday. The scope of server-based malware infections the supermarket chain acknowledged in a letter to Massachusetts regulators appears bigger than anything a remote attacker could have pulled off, they say.
Experts said the breach should serve as a big lesson for retailers: It's as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. Furthermore, it's foolish for a company to consider itself bulletproof because they achieved PCI DSS compliance, as Hannaford's claims it did.
"The overarching conclusion I have that keeps getting reinforced is that the low-hanging fruit is inside the company and insiders are always getting more network privileges," said Mark MacAuley, a York, Maine-based IT security consultant who shops at Hannaford's regularly. "I don't see how anyone at Hannaford could get that level of access unless they were a very well-known entity."
That assessment comes amid the buzz over Hannaford's letter to Massachusetts Attorney General Martha Coakley and the Office of Consumer Affairs and Business Regulation, in which the Maine-based retailer concluded it was the victim of a "new and sophisticated" technique where the attacker sneaked malware onto servers at all of its nearly 300 grocery stores. The malware apparently snatched card data from customers as they swiped their card through the checkout counter machine and transferred the data overseas. A Coakley spokesperson confirmed the Attorney General's Office had received the letter, but that it would not be released to the public, even though details were published Friday in The Boston Globe.
An inside job?
Graham Cluley, senior technology consultant for UK-based security firm Sophos, said the fact that the malware was not the conventional kind that might intercept keyboard presses as a consumer logs into their online bank but instead something apparently designed to lift credit card data as it was streamed through the servers suggests it was written either to specifically target Hannaford or to target the commerce system that Hannaford had deployed.
"It almost seems too much of a coincidence to think that remote hackers could have chanced upon infecting each and every server with appropriate malware by exploiting a traditional security flaw such as a firewall misconfiguration or out-of-date antivirus solution," he said. "This may have been instigated by someone who knew more about how data was communicated through Hannaford's systems."
While the conventional wisdom points to an inside job, not everyone is convinced that was the case. Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, said it's unlikely that an insider could have or would have driven to every store on the eastern seaboard to infect every server. There are scenarios where an outside attacker could have pulled off the breach, he said. For example, they could have compromised one laptop or server, getting the foothold necessary for a broader attack.
"Another possibility is a direct attack through the more traditional methods where the thief gains access to an administrative system or account and branches out from there. A Web application attack was also possible, he said.
Compliance does not mean security
Much has been made of the fact that Hannaford's was on top of its PCI DSS compliance, which requires merchants to institute a variety of security controls to protect customer card data. MacAuley said companies often assume they're ironclad because they've been deemed compliant, but that's not the case. He said, for example, that PCI DSS leaves out some common-sense mandates, such as encrypting data at the moment a card is swiped.
"At financial services institutions, a big concern is the potential man-in-the-middle attack, where they could insert a sniffer and pull out data as it flows by," MacAuley said. "You can mitigate the risk by encrypting at the point of capture." Avivah Litan, a vice president at Stamford, Conn.-based Gartner Inc., agreed, saying encryption should be at the "point of swipe."
There is one area where PCI DSS compliance could make life easier for Hannaford, however. If the company was indeed compliant at the time the breach occurred, Litan said the banks will have a hard time getting the supermarket chain to pay for all the credit and debit cards that have to be reissued.
"Under PCI rules, if they're compliant at the time of breach, the buck passes to the merchant bank," she said. "The issuing banks will want to get their money back. Visa will go to Hannaford's bank for that, and that bank would normally take the money out of Hannaford under normal circumstances. But if they were compliant and certified the day of the breach, then the acquiring bank is responsible because they accepted the compliance report."
Layer the security and pray
In the final analysis, companies need a layered security program so that if one defense fails, the bad guy must poke through other defenses. Even with a layered security program, the experts say there's no guarantee the company can prevent every attack from succeeding.
Chris Andrew, vice president of security technology at Lumension Security in Scottsdale, Ariz., said from his experience, a common problem is that a company falls behind in its patch deployments. Meanwhile, IT shops fail to control what kinds of devices employees can plug into company machines.
His advice is to avoid approaching security with a set-it-and-forget-it mentality.
"Good security requires constant care and it doesn't take much for an exploitable hole to develop," he said.