APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Hannaford Security Breach

We first discovered Hannaford in Western Mass. many years ago. We loved it immediately: they had the foods we wanted and their prices were better than the big name stores. We wished that they had a store near to us.

When we moved down to Middleboro two years ago we were delighted to find a Hannaford's here. It's a smaller store, but we find what we want and again the prices are good. We really like Hannaford.

Ah, but then this big credit card mess: www.computerworld.com/action/article.do?command=viewArticleBasic&;articleId=9068999 (link dead, sorry) New retail data breach may have affected millions of Hannaford shoppers. That's upsetting, and as Geeks Are Sexy pointed out the way Hannaford presented its response might indicate a weak IT department.

However, we don't even know if it really was a "data breach". If Hannaford doesn't have a strong CIO, I certainly don't trust that the President or VP of Marketing has any real clue as to what really happened. For all we know, this was an inside job: someone inside their data center could have passed credit card info out or arranged an open door. This could easily have been an "invitation" rather than a breach.

Hannaford's day of shame will pass. They'll hire a CIO or at least a good outside consultant and they will shore up their defenses. But what worries me is that there are a lot of "Hannafords" out there: companies who are large enough to have data worth stealing but small enough that they may not have good security controls in place. I could spit out a few dozen names without even thinking hard: you probably drive by many just like this every day. Small chains, often regional, competing hard against their national counterparts: how many do you think have strong IT departments? I'd guess that not many do.. and that worries me, particularly as we slide toward economic hard times: when the going gets tough, criminals have even more reason to look for prey, and isn't IT often quite vulnerable to layoffs and cutbacks? You betcha: the VP of marketing probably sees IT as mostly fluff anyway.. they don't bring in money, right?

My bet is that we'll see more of this.. unfortunately.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Hannaford security breach hits home


4 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Wed Mar 19 11:05:12 2008: 3855   TonyLawrence

gravatar
This morning we learn: (link)

Nexpose has already taken down its page bragging about that..



Wed Mar 19 13:03:57 2008: 3856   BruceGarlock


We always shop at Hannaford, and found the same things; great choices at lower prices. We live right on the NH border, so we usually visit the Hannaford over the border in NH. My bank cut off my debit card. I went to use it to pay for gas yesterday, and it kept coming up with "Invalid Transaction" Another employee at the cashier desk quickly pointed out that she had this happen to several customers today, and was probably due to the Hannaford credit/debit card issue.

I guess I will have to make a trip to the bank until I get my new card. I looked on-line, and it did not look like anything was out of order with our account, so that is good news.

People really need to wake up to this stuff. How many times have you heard of some government employee taking their laptop home, filled with personal info, and SSN's. My sister in-law actually had her identity stolen, due to someone at the state level in CT, losing their laptop, with her and thousands of other citizens of CT SSN, and address on it.

I hope these people get a clue to something FREE, like True Crypt:

(link)

It's free, does whole HD encryption, and virtually guarantees that information cannot be stolen without the secret passphrase. Why don't people use this stuff?



Wed Mar 19 13:34:18 2008: 3857   BigDumbDinosaur


Of course, what do you do about the fools who go home at night and leave their office PCs logged in? I have several clients where that sort of behavior is routine. The janitor could access the payroll, A/R or customer database. One shouldn't assume that the janitor is incapable of stealing information from a computer. The system is no more secure than the individuals using it.



Thu Mar 20 23:00:10 2008: 3866   drag


Attrition.org has a amusing page on the Rapid7 thing, including shots of the website before and after. They also have a rebuttal posted from Rapid7 linked to the following page.
(link)

Attrition.org may not seem like much from their website, but they do a lot of good (in terms of information security) by doing things like running various mailinglists and backing the OSVDB. Right now their latest thing they are attempting to do is create a _accurate_ database of dataloss incidents. They've been up to it for a while now and it's amazing how much they have been able to collect. They are looking for more volunteers, though.

You can find it at (link)

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Perl is designed to give you several ways to do anything, so consider picking the most readable one. (Larry Wall)

Basic happened to be on a GE timesharing system that was done by Dartmouth, and when GE decided to franchise that, it started spreading Basic around just because it was there, not because it had any intrinsic merits whatsoever. (Alan Kay)







This post tagged: