I don’t normally bother to comment on the stream of ‘breach’ stories but Hannaford was different from the beginning. They were doing the ‘right thing’ and were PCI compliant, yet were the apparent source of a large number of credit card fraud cases. Hordes of security vendors building franchises around the credit card industry’s self imposed Payment Card Industry Data Security Standard cowered as the story took shape, and one of Hannaford’s own PCI providers engaged in some ‘customer reference’ gymnastics.
The story is still emerging, but it sounds like Hannaford didn’t detect it internally, rather normal card fraud alerts pointed back to them. Despite missing the breach itself, kudos to Hannaford for fessing up once they became aware.
Most of the ‘how it happened’ guesswork is pointing to malicious software that was able to spread inside the Hannaford network onto systems behind the protective measures prescribed by PCI DSS: “One piece of malware on one machine leaped to 300 other servers”. “Leaped”? That must be a new malware attack vector they’ll reveal this week at the RSA Conference.
Some are saying this shows PCI is ineffective: “In other words, PCI is worthless”
I disagree. (Even though one of my own credit cards was apparently duplicated in the last couple of weeks, giving someone a lucrative weekend shopping spree through central Ontario…)
While the Hannaford breach clearly demonstrates that PCI needs to go further before it is an effective weapon, there is no doubt that it is moving the payment industry in the right direction.