By Clement James
04 April 2008
A recent security breach at US supermarket chain Hannaford Bros was
almost certainly the work of hackers exploiting a single code flaw on
internal systems, experts say.
Hannaford Bros revealed last month that intruders had broken into its
network and stolen the credit card details of some 4.2 million
It is understood that the hackers managed to download card details after
the cards had been swiped at the checkout and were in the process of
Brian Chess, founder and chief scientist at security firm Fortify
Software, claimed that the uniformity of the breach suggests that the
attackers were taking advantage of a software weakness.
"The fact that the servers in almost all of the stores were compromised
makes it much more likely that the attackers found a vulnerability in a
piece of code that was common to all the servers and used malware to
exploit the weakness," he said.
"My guess is that hackers first broke into the internal corporate
network, then did some basic network scanning to identify all of the
"They then figured out that there was a vulnerability on some piece of
code running on all of the machines. We see many organisations that are
much more lax about internal systems."
Chess added that the interesting thing about the case is that Hannaford
Bros is believed to be fully PCI compliant and, as such, is unlikely to
have to pay fines under current PCI rules.
"The store chain had passed its PCI audit, but PCI takes a relaxed
attitude towards internal machines," he said.
The security expert pointed out that PCI DSS section 6.6, for example,
requires companies to "ensure that all web-facing applications are
protected against known attacks by applying either of the following
methods: having all custom application code reviewed for common
vulnerabilities by an organisation that specialises in application
security; and installing an application layer firewall in front of
This means that Hannaford Bros fulfilled section 6.6 by default so long
as its web applications were only for use inside the corporate network.
"PCI DSS is a lot like a fire code or a health code. It does not
guarantee smooth sailing, it just helps people avoid repeating a lot of
painful mistakes from the past," said Chess.
Subscribe to InfoSec News