Media reporting of data breach events like the UK NHS, Heartland, Hannaford and Bank of America has overwhelming focussed on the raw numbers of customer data records that were breached.
Little information is available regarding the root causes – how attackers exploited the system and people vulnerabilities to get the data.
Although US legislation requires disclosure of a data loss event, it does not require disclosure of the root causes of the event.
In the Hannaford Supermarket data breach case of over 4 million credit cards, the State of Massachusetts refused to provide details on their investigation. Hannaford claims that malware attacked their store servers and promptly signed a contract with IBM to replace over 250 store back office servers.
Let’s take closer look and see if this makes sense.
Store back office servers in a retail POS system are never connected to the public Internet and therefore could not be attacked directly by malware. It is possible that there was network connectivity from the company’s internal administration network of Windows users to store back office servers and this may have served as a vector for malware delivery. Possible and if true, a reason to segregate the store networks from the administration network using technology such as Waterfall Systems but not a reason to replace all the back office servers.
My gut feeling is that Hannaford may have had a case of credit card authorization requests being saved in temporary files that were accessible from a Windows share on the administration network. Which made it childs play to steal by an insider with reasonable knowledge and access to the network.