Re: Hannaford spending millions to upgrade after security breach

["Jamie C. Pole" <jpole () jcpa com>]

Wow - I'm happy that AP saw fit to minimize the Hannaford incident by  
comparing it with TJX.  I'm sure Hannaford's lawyers also appreciate  
that statement.

As far as Hannaford buying  a "24/7-managed security monitoring and  
detection service" from IBM, I'm very happy for them, but I still want  
to know how a PCI-compliant environment was breached, and how the  
vendor that sold Hannaford it's PCI compliance certificate is still  
selling product.  Not 30 minutes ago, I got a blast-spam advertisement  
from Rapid7 regarding the very product that Hannaford was using.  Why  
would I buy that product?  Why would I recommend that product to a  
client?

How is the IBM monitoring solution going to prevent another breach?   
Is Hannaford still using the Rapid7 product?

Is Hannaford still PCI-compliant?  If so, HOW???  This incident  
graphically demonstrated that their PCI compliance certificate was  
bogus.  Even if we believe that none of the systems involved in the  
breach were covered by PCI (which we don't), why didn't the PCI  
assessment identify those systems as being necessary?  Why was credit  
card information accessible from systems that were not part of the PCI  
environment?  How has Hannaford been processing credit card  
transactions since the incident?

Lots of questions...

Jamie


On Apr 22, 2008, at 3:25 PM, lyger wrote:

> http://ap.google.com/article/ALeqM5ic85268s4GzOT78ixJKz-vlSzxuwD90725C00
>
> Hannaford Bros. Co. said Tuesday it is spending millions of dollars to
> enhance the security of its data network following a massive security
> breach that exposed up to 4.2 million credit and debit card numbers to
> fraud.
>
> It was during the card approval process that customer accounts at  
> grocery
> stores in the Northeast and Florida were compromised from Dec. 7 to  
> March
> 10. That exposure occurred even though the company met the latest
> standards for data security.
>
> Company officials said Tuesday that the new measures include  
> encryption of
> all card numbers during the entire time they are within the  
> supermarket
> chain's data network. Hannaford also said it has installed a "24/7- 
> managed
> security monitoring and detection service" from IBM to detect  
> intrusions.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml