Search This Blog

Wednesday, April 02, 2008


ANOTHER HUMONGOUS PERSONAL DATA BREACH WITH ONLY QUESTIONS AS TO HOW IT HAPPENED


Unless you are from the northeast you probably have never heard of the Hannaford supermarket chain. Based in Portland, Maine, they are now the not-so-proud owners of the largest personal data breach of 2008. The loss of 4.2 million credit card and debit card numbers took place while shoppers were swiping their cards in checkout lines. See MSNBC story. There have been at least 1,800 cases of fraud already since the breach began on December 7, 2007. No additional private information was lost like name/address, Social Security number, etc. Hannaford discovered it on February 27, 2008, but did not disclose it until the week of March 17. During that period the crooks made off with about $10.3 million of the victims’ money based on Javelin’s 2007 research figures of $5,720 per victim. According to E Commerce Times, malware was installed on the company’s servers, but the folks at Hannaford have no idea how it got there. If you don’t know, Microsoft/TechNet defines “malware” as short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, etc. However, Hannaford claims to be in compliance with the Payment Card Industry Standard, a security program that is supposed to protect customer personal data like this, which leads me to believe that PCI is not worth the paper it is printed on. Beth Givens of Privacy Rights Clearinghouse warns that debit card holders are most at risk because they aren’t covered by banks from fraudulent charges. Had the company notified customers earlier, who knows how many of those 1,800 cases of fraud could have been prevented. Brian Krebs of the Washington Post, commenting on Blogger News Network, describes a typical scenario of how this could happen where the hackers by eavesdropping on a network such as Hannaford’s using “sniffer” programs, could extract credit and debit card data that is not encrypted, as it moves across the wire, and even before it leaves the store. The New York Times said it “appears to be the first large-scale piracy of data in transit.” Two points need to be made re. what has happened at Hannaford. First, only numbers were released; no name or address to connect to the card numbers. The fact that there have been at least 1,800 cases of fraud against card-holders indicates the persistence and ingenuity of the ID thieves. Second, this breach was committed intentionally for the purpose of compromising customers’ personal data to be used to steal money from them, as, again, evidenced by the 1,800 fraud cases. These guys don’t give up and until consumers realize this and demand protection against identity theft, it will continue and just get worse. Computerworld reports that class-action lawsuits have been filed against Hannaford as a result of the breach which alleges inadequate security and a failure to notify victims promptly. In yesterday’s post I quoted from the legal blog, Ephemerallaw, that litigation is not the answer. The answer is regulation that spells out the parameters to control sensitive data, and that is consistent in enforcement. Why is this so hard for lawmakers to understand?

No comments: