I was out on vacation (and then at RSA) when much of the interesting detail about the Hannaford breach emerged. Security professionals and probably the general public are growing a little desensitized to security breach news, particularly of the type “company XYZ lost a laptop, and NN,NNN individuals NPI is now at risk”. This stuff is so commonplace that it gets tuned out. I guess it means that the markets for endpoint security technologies, full disk encryption, etc. will be robust for a long time, but beyond this, not much of a big deal.
Then there are the big, cataclysmic security events like TJX, Societe General, or Hannaford. With highly impactful security breaches like Hannaford, it sometimes takes a while to understand not only the “how-what-where-when-why” detail aspects of the breach, but more importantly the likely future impacts.
The future impacts and likely consequences as a result of the Hannaford can be expected to be significant. Consequences to Hannaford will no doubt include fines and a lengthy mandated security program (with external security audit and review) from the FTC. In terms of PCI compliance, it isn’t entirely clear if penalties can be imposed by the credit card payment chain. After all, Hannaford claimed PCI compliance. The bigger long-term impacts will likely be to the future of the PCI standard- once the attack vector and vulnerabilities, whether technical or administrative, are better understood, the PCI standard will have to ratchet up the controls specified so as to prevent these attacks in the future.
To the general IT world, this latest big breach adds more fuel to the fire for a US national law on consumer data privacy. This was a sophisticated attack that should rightfully scare the heck out of IT security execs in all sectors and industries. It is also a reminder that compliance does not equal security.
Jim Hietala
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
