Why Did Schnucks Hide Massive Breach?

Schnucks Supermarket chain, for two weeks, has known about a massive breach that’s left more than 2 million credit cards exposed and instead of making the announcement about the breach, it instead opted to continue accepting credit cards, thereby putting even more of its customers at risk.

Big Delays

The chain of supermarkets was alerted more than two weeks ago by its credit card processing company that something was wrong. The company said both its debit card and credit card transactions were being left exposed. Instead of dealing with the problem right away, it instead continued to move forward with accepting these payment options. This isn’t going to be good for the 100 store chain, which also has pharmacies in 96 of those stores.

It did announce on March 30 that it had discovered the exposure and contained it. It said card numbers and expiration dates had been left vulnerable with no worries about card holder names. Unfortunately, it goes much deeper than that.

According to its own timeline, which it uploaded on its site on Monday, the breach was actually found two weeks prior to the announcement. In fact, it was found on the 14th of March. and initially, it was being described as just “a handful of cards that were exposed”.

Five days after learning of the exposure, it hired a security firm to conduct a more thorough investigation as reports of even more fraud began surfacing. And still, it was another 13 days later before the problems were finally rectified.

Withholding Information

Later on Monday, it again became clearer that the chain was still not being honest. In the latest update, Schnucks warned that the breach affected credit card customers who were in its stores between December 2012 and March 29, 2013. That time frame suggests that the company was continuing to leak credit and debit card information between the time it was first alerted of a problem and the time it actually fixed it.

For some time now, there have been growing concerns about the inability of today’s security companies to adequately identify and then handle these growing security breaches. In fact, the denial of service attacks that have been hitting banks for months continue to cause problems since no one can even pinpoint where the attacks are coming from. Many consumers are beginning to wonder how little it takes to actually qualify as a security expert. The hackers are not only telling the public when they will hit next, but they’re also telling the world which banks are in its crosshairs. Still, no one can find them. No one can fix the problems. No one can provide answers. According to a new Radware report, between 2011 and 2012, there was a 170% increase in DDoS attacks. And the costs are incredible: $32,560 per minute of downtime.

Even the Banks Can’t

It would seem as though Schnucks would have taken into consideration the growing number of incidents of downtime being reported by some of the most closely guarded business models in the world: the banks. Hundreds are being reported every day; in fact, one day last week, there were 164 downtime reports. And that’s not anything new. From a public relations angle, it’s a nightmare. Clearly, the massive number of banks that were reporting denial of service attacks around the time the vulnerability was discovered wasn’t much of an incentive for the store to go public and take the opportunity to do the right thing. Instead, it allowed even more of its customers to potentially become victims.

Avivah Litan, an analyst in Stamford, CT said,

You’d think they would have figured out what to shut off or at least how to control their traffic

to prevent further data leaks. The security company couldn’t even pinpoint the breach, let alone identify any potential hackers. It’s a testament to how advanced today’s computer hackers are. Another problem is the shift many of these criminals are taking. Many have been resorting to techniques like hiding stolen data inside legitimate files and encrypting data to evade detection.

They cloak their malware or hide it within seemingly innocuous files so that it’s very difficult to detect,

she said.

Losing Ground

No one disputes the fact that available forensics tools are simply not good enough. They can’t even catch up after just a few days have passed. The tools aren’t smart enough to identify the hacking efforts. Litan has a few suggestions,

What’s needed, and what some tech startups are working on, is behavioral modeling, base-lining and profiling of all nodes and communication ports in an internal network so that abnormal activity and communications can be detected – even if the activity is only active a few seconds a week. Of course this is very difficult to pull off without a lot of false positives and noise in the system, but this is what’s needed,

she added.

For its part, Schnucks isn’t responding to media requests for comments.

ID Theft

Remember, there are millions of Americans who become victims of identity theft. In 2011, there were around 6 million affected by identity theft and credit card fraud. Worse, the numbers are growing rapidly. So what will ultimately happen to the grocery store chain and is this enough of a public relations disaster to affect its bottom line? Only time will tell – and if its customers begin noticing fraud and theft on their credit cards, the lawsuit potential grows. Not everyone sees it that way.

One firm that specializes in corporate responsibility and credit card security compliance issues agrees that it took the chain an extended amount of time to isolate the case and that it’s unusual. Jim Huguelet of Huguelet Group LLC also said that it could be indicative of “malware custom-written for Schnucks’ environment or utilized unique techniques to hide its existence.” He continues,

The number of cards compromised is significant given the relatively small size of the Schnucks chain and just proves that retailers of all sizes must be diligent in their protection of their payment processing systems.

What are your thoughts? Do you think this could be brutally damaging for the grocery store chain or is it just business as usual in a new technology-driven economy?

Similar News

No Comments »

Leave a comment