Unapproved System Configuration Changes Create Risk

When you pick up the morning paper or turn on the news, you don't expect to be reading or listening to a story about your credit or debit card information being at risk. However, recent events indicate - as illustrated by the announcement of security breaches at the Hannaford supermarket chain and the Okemo Mountain Resort in Vermont - this will become an all too common event. While the breaches which occurred earlier this year - affecting more than four million individuals and their families - pale in comparison to the magnitude of the TJX data breach from a year ago where the records of more than 40 million consumers were placed at risk, there are still lots of issues with this breach that should be of concern to both corporations and consumers.

Time to Discovery and Notification: The first concern is the length of time that passed between the breaches being discovered and notification being made to customers and the general public. In the case of Hannaford, according to several reports in the Portland Press Herald, it appears this breach began in December 2007 and was discovered February 27, only after notification from First Data, the company handling transactions for Discover and American Express. The identification of the cause wasn’t completed until March 10 and required a team of 30 information technology specialists and outside security pros to determine. According to statements from Hannaford, the code believed to be the cause was a form of ‘malware,’ short for malicious software. Finally, the questionable code was sent to a Virginia-based lab for reverse engineering to be able to clear it from their systems before the company finally notified the media on March 17.

In the case of the Okemo Mountain Resort breach, they appear to have been swifter to go public once they had identified the breach, taking just a bit more than a month to share the information. However, the malware used in Okemo’s case was not only able to grab payment card information from February 7 through February 22, but also data from card transactions dating back to March 2006.

Breach Creep: One of the concerns specific to the Hannaford data loss was the breadth of geography consumers represented who were impacted by the breach and that the breach goes beyond just Hannaford's own properties. Consumers of more than 250 Hannaford and Sweetbay stores in the Northeast, Florida and, according to a statement posted on the Hannaford Web site, approximately 50 additional "independently-owned retail locations in the Northeast that carry Hannaford products" were all victims of the breach when the malware managed to propagate itself throughout the network infrastructure connecting Hannaford’s stores and independent retailers.

With the use of automated configuration software it is possible to identify current system configurations and analyze those attributes against approved standards thereby identifying malware or changes it is creating to allow itself to propagate itself in their networks and export critical cardholder data.

Expansion from credit card data to identity data: A third area of some concern was made in the statement from Hannaford CEO Ron Hodge which indicated that "No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions." When Hannaford itself was saying that "1,800 fraud complaints tied to the security failure thus far," it was hard to imagine that the magstripe data from the cards was not compromised. While it appears that only enough data was captured to re-create new cards, it does raise the question of whether earlier notification might have thwarted the efforts of the cybercriminals and reduced the overall number of individuals whose customer information was involved.

Cost, penalties and fines: A fourth area of concern is the overall cost involved. Hannaford has publicly indicated that it passed two PCI Assessments in the past year - including one while the breach was occurring - and doesn’t appear likely to face any penalties from the credit card companies. However, several litigation suits have been filed against Hannaford in multiple states seeking retribution.

Yet, that only represents a portion of the cost. In a story by David Hench in the Portland Press Herald’s April 6 edition, it was identified that a team of 30 information technology specialists and outside security pros spent at least two to three weeks identifying the malware causing the breach and then removing it from their systems. In the process, a Virginia-based lab was contracted to reverse engineer the code to help remove it. All of which would have been at a substantial cost.

In fact, in the April 22 edition of the Boston Globe, Hannaford indicated that it is spending millions of dollars to enhance the security of its data network, including “encryption of all card numbers the entire time they are within the supermarket chain’s data network” and “installing a ‘24/7-managed security monitoring and detection service’”

Yet, those aren’t the only costs that will be associated with the breach at either Hannaford or Okemo. Many banks and credit unions, either on their own or at the request of their customers and members, have been reissuing new cards. According to a quote by Chris Daudelin, president of Town & Country Federal Credit Union in South Portland, ME, in the March 26 Portland Press Herald, “The cost of reissuing cards, both debit and credit, are at the expense of the financial institution.” Daudelin’s credit union is expected to issue about 14,000 new cards at a cost he estimated to be between $10 and $12 per card.

In addition, for consumers who had debit card information compromised, they will have to apply to have the funds restored, as any fraudulent transactions will come straight from their checking account. Typically, this is a process that can take weeks or even months.

However, perhaps the greatest costs will be less visible, but completely at the expense of the consumer. In businesses with low margins like the supermarket business or volatile business seasons like the ski industry, it is hard to believe that the costs incurred through upgrading infrastructure security, paying fines, or even potential litigants will not lead to higher food prices or lift tickets. But, in the case of Hannaford, it may even come in something as subtle as time. If all data is now encrypted within Hannaford’s data network, Point of Sale devices at the register will need to be capable of encrypting card data and the processor at the other end will need to be able to unencrypt the data before approving your transaction. Minimally, this could lead to some lengthy back-logs at the register.

Summary: Employing available tools to have better visibility into the configuration of their systems would have provided prompt notification when the presence or integrity of installed software was compromised or when new unapproved software was installed. This would include any changes the software may make to access rights, permissions and other key identity and access information that would likely need to be used to propagate the software into other systems in the network and to allow for sensitive personal financial information to be removed from the system. Time will tell, but it is hard to imagine that today’s configuration audit and compliance reporting tools couldn’t have minimized the impact of either one of these attacks.