Technical details remain light in supermarket data breach

Technical details remain light in supermarket data breach
Technical details remain light in supermarket data breach 

By Robert Vamos
Defense in Depth
March 19, 2008

Details remain sketchy regarding Monday's announcement of 4.2 million 
credit card and debit cards exposed at a Maine-based supermarket chain. 
However, public comments made by Ronald Hodge, CEO of Hannaford 
Supermarkets, suggest that even with recent improvements in payment card 
transaction security, there may be holes.

The standards organization, PCI Security Standards International, was 
founded by American Express, Discover Financial Services, JCB, 
MasterCard Worldwide, and Visa International. In October 2007, they 
implemented the PCI Data Security Standard (PCI DSS), which includes, 
among other things, network specifications. Dr. Neal Krawetz of Hacker 
Factor Solutions said that PCI DSS allows for the storage of card 
numbers and expiration dates on a branch server. And that's what may be 
been compromised in this case.

Krawetz said, generally, that the traffic between the cash register and 
the credit card companies is secure. The transaction often takes place 
at the cash register with the customer standing by. After the customer 
leaves the information is broadcast to a branch server.

If criminals were to target a single cash register, they would not 
achieve the volume credited to this latest data breach; to steal 4.2 
million accounts would require to a larger repository. In retail stores, 
especially in large chains, branch servers are used to collect data from 
individual cash registers and may store the data locally, regionally, or 

That's why branch servers are becoming the targets of sophisticated 
attacks. Last summer, Krawetz released a paper (click for PDF) outlining 
that the communication between the cash register and the branch server 
is not secure. Sometimes the data from cash register to branch server is 
transmitted wirelessly over unencrypted networks, although there is not 
enough information here to suggest that is what happened at Hannaford.

Krawetz cautioned that at this point many important details regarding 
Hannaford are lacking. "The size of the compromise sure sounds like it 
could be a branch or regional server." Hodge, in his public letter to 
Hannaford customers, acknowledged that the intrusion affected the 
Hannaford stores, Sweetbay stores in Florida, and certain independently 
owned retail locations in the Northeast that carry Hannaford products.

If branch servers are to blame, recent security standards would appear 
to be lacking. The Washington Post's Brian Krebs quoted a CyberTrust 
executive, Bryan Satrin, who echoed that concern, saying that "these 
organizations can be (compliant with the credit card industry security 
standards) and still have customer data stolen."

Last March, TJX announced that 45.7 million accounts were compromised 
over a two-year period in a data breach of customer records at T.J. Maxx 
and Marshalls retail chains.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods