BreachExchange mailing list archives
Re: Hannaford spending millions to upgrade after security breach
From: "Jamie C. Pole" <jpole () jcpa com>
Date: Tue, 22 Apr 2008 15:42:46 -0400
Wow - I'm happy that AP saw fit to minimize the Hannaford incident by comparing it with TJX. I'm sure Hannaford's lawyers also appreciate that statement. As far as Hannaford buying a "24/7-managed security monitoring and detection service" from IBM, I'm very happy for them, but I still want to know how a PCI-compliant environment was breached, and how the vendor that sold Hannaford it's PCI compliance certificate is still selling product. Not 30 minutes ago, I got a blast-spam advertisement from Rapid7 regarding the very product that Hannaford was using. Why would I buy that product? Why would I recommend that product to a client? How is the IBM monitoring solution going to prevent another breach? Is Hannaford still using the Rapid7 product? Is Hannaford still PCI-compliant? If so, HOW??? This incident graphically demonstrated that their PCI compliance certificate was bogus. Even if we believe that none of the systems involved in the breach were covered by PCI (which we don't), why didn't the PCI assessment identify those systems as being necessary? Why was credit card information accessible from systems that were not part of the PCI environment? How has Hannaford been processing credit card transactions since the incident? Lots of questions... Jamie On Apr 22, 2008, at 3:25 PM, lyger wrote:
http://ap.google.com/article/ALeqM5ic85268s4GzOT78ixJKz-vlSzxuwD90725C00 Hannaford Bros. Co. said Tuesday it is spending millions of dollars to enhance the security of its data network following a massive security breach that exposed up to 4.2 million credit and debit card numbers to fraud. It was during the card approval process that customer accounts at grocery stores in the Northeast and Florida were compromised from Dec. 7 to March 10. That exposure occurred even though the company met the latest standards for data security. Company officials said Tuesday that the new measures include encryption of all card numbers during the entire time they are within the supermarket chain's data network. Hannaford also said it has installed a "24/7- managed security monitoring and detection service" from IBM to detect intrusions.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Hannaford spending millions to upgrade after security breach lyger (Apr 22)
- Re: Hannaford spending millions to upgrade after security breach Jamie C. Pole (Apr 22)
- Re: Hannaford spending millions to upgrade after securitybreach TS Glassey (Apr 22)