Oops….another big one…..

Posted on March 18th, 2008 by Drazen Drazic

Everyone is reporting it now but here’s one feature from the SMH. You gutsta love the spin put on the announcement:

http://www.hannaford.com/Contents/News_Events/News/News.shtml

Somehow they make the following sound like it’s not too bad at all! Good luck guys:

“Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.

We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.”

“Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions” … yeah…okay but…..
“Limited to..”?

I suppose you have to put out something like that but it would be interesting to be a fly on the wall in discussions the Payment Card Industry’s investigator is having post review with the PCI about how close these guy’s systems are to being “among the strongest in the industry”.

See my previous post….it’s only a matter of time before a bricks and mortar business does not recover from one of these “incidents”.

11 Responses to “Oops….another big one…..”

  1. D2 Says:
    March 18th, 2008 at 7:40 pm

    http://ap.google.com/article/ALeqM5ipET-mkUFMHvZNMr5WJkcg82NHIwD8VFDD0O0

    “PORTLAND, Maine (AP) — A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.”

  2. Drazen Drazic Says:
    March 18th, 2008 at 7:55 pm

    Surprise Surprise….no the number of cases of fraud grows with each day…..did they not expect that? Seriously, based on our experience, many do not.

  3. SFB Says:
    March 18th, 2008 at 9:35 pm

    So, where does an investigation start and end in a scenario like this? It’s not like your old cops and robbers scenario? Every man and his dog could potentially be implicated!

    @The Big Galoot as an ex-detective and now “IT Security Legend” – what do you say? As discussed in the forum, do you just give up or is it possible to hunt the bad guys down?

  4. thoth Says:
    March 19th, 2008 at 8:43 am

    Attrition.org attempts to keep a list of all publically known dataloss incidents from around the world on their mailing list. Check out http://attrition.org/dataloss/

  5. Big Galoot Says:
    March 19th, 2008 at 8:47 am

    Its far too early to call – whether or not you’d relegate this incident into the ‘too hard’ basket. It certainly looks ugly.

    But you gotta laugh at the schmultzy, saccharine-flavoured announcement by the CEO Ronald C Hodge:

    “As always, we appreciate you choosing to shop at Hannaford. We remain committed to providing you with the finest foods and a clean, friendly and secure shopping experience.”

    Aside from the highly questionable ‘commitment to a secure shopping experience’, CEO Ronald C Hodge’s use of the royal “we” instead of “I” dilutes the blame from himself to his entire organisation.

    All of which makes me think – we need to add another rule to our Ostrich Risk Management theory. Here goes…

    If the shit hits the fan, take no responsibility, blame someone else, blame lots of people, the more the better.

    BG.

  6. General Kisov Says:
    March 19th, 2008 at 9:10 am

    “If the shit hits the fan, take no responsibility, blame someone else, blame lots of people, the more the better.”

    -Big Galoot. Ex Detective.

    nuff said.

  7. Big Galoot Says:
    March 19th, 2008 at 11:13 am

    Whats with the focus on this ‘ex-Detective’ crap – for gods’ sake ?

    I’m also an ex-part-time shop assistant, an ex-bank teller, an ex-sys admin, an ex-lots of general bloody dogs body things… but no-one gives a rats arse about that, eh ?

    From now on, I have a simple request. Pls cut the ‘ex’ stuff, for f’s sake. I am what I am…. A Big Galoot !

    :- )
    BG.

  8. General Kisov Says:
    March 19th, 2008 at 2:34 pm

    Sorry BG,

    It was meant tongue in cheek ;-) No hard feelings, comrad.

  9. Drazen Drazic Says:
    March 20th, 2008 at 10:40 am

    Nice take on this. Thanks Wade for the link:
    http://securitywatch.eweek.com/hannaford_data_breach_the_security_vendor_conundrum.html

    Related:
    http://beastorbuddha.com/2008/02/27/symantec-will-save-us-allproactive-protection-against-unknown-and-zero-day-threats/

  10. Drazen Drazic Says:
    March 30th, 2008 at 5:55 pm

    Okay, we know the reason …. it is reason A or maybe reason B, reason C sounds plausible or it’s some other reason…but we know something happened. :-)

    http://tinyurl.com/2uejq4

  11. Drazen Drazic Says:
    April 3rd, 2008 at 3:14 pm

    I like this take on it from Anton Chuvakin:
    http://chuvakin.blogspot.com/2008/04/it-was-insider-sorry-we-are-idiots.html

Leave a Reply