APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Hannaford Security Breach

© March 2008 Anthony Lawrence

We first discovered Hannaford in Western Mass. many years ago. We loved it immediately: they had the foods we wanted and their prices were better than the big name stores. We wished that they had a store near to us.

When we moved down to Middleboro two years ago we were delighted to find a Hannaford's here. It's a smaller store, but we find what we want and again the prices are good. We really like Hannaford.

Ah, but then this big credit card mess: www.computerworld.com/action/article.do?command=viewArticleBasic&;articleId=9068999 (link dead, sorry) New retail data breach may have affected millions of Hannaford shoppers. That's upsetting, and as Geeks Are Sexy pointed out the way Hannaford presented its response might indicate a weak IT department.

However, we don't even know if it really was a "data breach". If Hannaford doesn't have a strong CIO, I certainly don't trust that the President or VP of Marketing has any real clue as to what really happened. For all we know, this was an inside job: someone inside their data center could have passed credit card info out or arranged an open door. This could easily have been an "invitation" rather than a breach.

Hannaford's day of shame will pass. They'll hire a CIO or at least a good outside consultant and they will shore up their defenses. But what worries me is that there are a lot of "Hannafords" out there: companies who are large enough to have data worth stealing but small enough that they may not have good security controls in place. I could spit out a few dozen names without even thinking hard: you probably drive by many just like this every day. Small chains, often regional, competing hard against their national counterparts: how many do you think have strong IT departments? I'd guess that not many do.. and that worries me, particularly as we slide toward economic hard times: when the going gets tough, criminals have even more reason to look for prey, and isn't IT often quite vulnerable to layoffs and cutbacks? You betcha: the VP of marketing probably sees IT as mostly fluff anyway.. they don't bring in money, right?

My bet is that we'll see more of this.. unfortunately.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Hannaford security breach hits home


Inexpensive and informative Apple related e-books:

Take Control of Upgrading to El Capitan

Take control of Apple TV, Second Edition

Take Control of Preview

Take Control of Automating Your Mac

iOS 10: A Take Control Crash Course

More Articles by © Anthony Lawrence

Wed Mar 19 11:05:12 2008: 3855   TonyLawrence

This morning we learn: (link)

Nexpose has already taken down its page bragging about that..

Wed Mar 19 13:03:57 2008: 3856   BruceGarlock

We always shop at Hannaford, and found the same things; great choices at lower prices. We live right on the NH border, so we usually visit the Hannaford over the border in NH. My bank cut off my debit card. I went to use it to pay for gas yesterday, and it kept coming up with "Invalid Transaction" Another employee at the cashier desk quickly pointed out that she had this happen to several customers today, and was probably due to the Hannaford credit/debit card issue.

I guess I will have to make a trip to the bank until I get my new card. I looked on-line, and it did not look like anything was out of order with our account, so that is good news.

People really need to wake up to this stuff. How many times have you heard of some government employee taking their laptop home, filled with personal info, and SSN's. My sister in-law actually had her identity stolen, due to someone at the state level in CT, losing their laptop, with her and thousands of other citizens of CT SSN, and address on it.

I hope these people get a clue to something FREE, like True Crypt:


It's free, does whole HD encryption, and virtually guarantees that information cannot be stolen without the secret passphrase. Why don't people use this stuff?

Wed Mar 19 13:34:18 2008: 3857   BigDumbDinosaur

Of course, what do you do about the fools who go home at night and leave their office PCs logged in? I have several clients where that sort of behavior is routine. The janitor could access the payroll, A/R or customer database. One shouldn't assume that the janitor is incapable of stealing information from a computer. The system is no more secure than the individuals using it.

Thu Mar 20 23:00:10 2008: 3866   drag

Attrition.org has a amusing page on the Rapid7 thing, including shots of the website before and after. They also have a rebuttal posted from Rapid7 linked to the following page.

Attrition.org may not seem like much from their website, but they do a lot of good (in terms of information security) by doing things like running various mailinglists and backing the OSVDB. Right now their latest thing they are attempting to do is create a _accurate_ database of dataloss incidents. They've been up to it for a while now and it's amazing how much they have been able to collect. They are looking for more volunteers, though.

You can find it at (link)


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Be respectful to your superiors, if you have any. (Mark Twain)

Linux posts

Troubleshooting posts

This post tagged:


Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode