Technical details remain light in supermarket data breach
Suspicion centers on branch servers which collect and store credit card information for millions of customers at large retails stores.
Details remain sketchy regarding Monday's announcement of 4.2 million credit card and debit cards exposed at a Maine-based supermarket chain. However, public comments made by Ronald Hodge, CEO of Hannaford Supermarkets, suggest that even with recent improvements in payment card transaction security, there may be holes.
The standards organization, PCI Security Standards International, was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. In October 2007, they implemented the PCI Data Security Standard (PCI DSS), which includes, among other things, network specifications. Dr. Neal Krawetz of Hacker Factor Solutions said that PCI DSS allows for the storage of card numbers and expiration dates on a branch server. And that's what may be been compromised in this case.
Krawetz said, generally, that the traffic between the cash register and the credit card companies is secure. The transaction often takes place at the cash register with the customer standing by. After the customer leaves the information is broadcast to a branch server.
If criminals were to target a single cash register, they would not achieve the volume credited to this latest data breach; to steal 4.2 million accounts would require access to a larger repository. In retail stores, especially in large chains, branch servers are used to collect data from individual cash registers and may store the data locally, regionally, or nationally.
That's why branch servers are becoming the targets of sophisticated attacks. Last summer, Krawetz released a paper (click for PDF) outlining that the communication between the cash register and the branch server is not secure. Sometimes the data from cash register to branch server is transmitted wirelessly over unencrypted networks, although there is not enough information here to suggest that is what happened at Hannaford.
Krawetz cautioned that at this point many important details regarding Hannaford are lacking. "The size of the compromise sure sounds like it could be a branch or regional server." Hodge, in his public letter to Hannaford customers, acknowledged that the intrusion affected the Hannaford stores, Sweetbay stores in Florida, and certain independently owned retail locations in the Northeast that carry Hannaford products.
If branch servers are to blame, recent security standards would appear to be lacking. The Washington Post's Brian Krebs quoted a CyberTrust executive, Bryan Satrin, who echoed that concern, saying that "these organizations can be (compliant with the credit card industry security standards) and still have customer data stolen."
Last March, TJX announced that 45.7 million accounts were compromised over a two-year period in a data breach of customer records at T.J. Maxx and Marshalls retail chains.