Hannaford card data breach might be the result of vulnerable code says Fortify

"Hannaford supermarket data breach in the US, in which as many as 4.2 million customers card details appear to have been downloaded, was almost certainly the result of malware that exploited a code flaw." reports security firm Fortify Software.

According to Brian Chess Fortify’s Founder and Chief Scientist, the uniformity of the breach suggests that the attackers were taking advantage of a software weakness.

"The fact that the servers in almost all of the stores were compromised makes it much more likely that the attackers found a vulnerability in a piece of code that was common to all of the servers and used malware to exploit the weakness," he said.

"My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers, then figured out that there was a vulnerability on some piece of code running on all of the machines," he added.

“We see many organizations that are much more lax about internal systems,” explains Chess.

"What's interesting about the case is that newswire reports suggest the store chain was fully PCI compliant and, as such, is unlikely to have to pay fines under current PCI rules, unlike, for example, the TJX Group hack of last year," said Brian Chess, Fortify's Chief Scientist. Chess added, “the store chain had passed its PCI audit, but PCI takes a relaxed attitude towards internal machines."

If you take a look at PCI DSS section 6.6, for example, says Chess, this requires companies to "ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

Having all custom application code reviewed for common vulnerabilities by an organization that specialises in application security, and Installing an application layer firewall in front of Web-facing applications.

According to Chess this means that Hannaford fulfilled section 6.6 by default so long as their Web applications were only for use inside the corporate network.

"PCI DSS is a lot like a fire code or a health code. It doesn't guarantee smooth sailing, it just helps people avoid repeating a lot of painful mistakes from the past," he said.

As a result of this, Chess predicts that future versions of PCI DSS drop the distinction between Web-facing software and internal software.