Hannaford Data Breach: The Security Vendor Conundrum
Whenever a news story breaks about a major data breach, PR folks representing security vendors trip over themselves to clog my inbox with "our-solution-could-have-prevented-that" notes.
For Rapid7, a company that hawks vulnerability assessment, PCI compliance and Web application scanning software, this week's Hannaford breach flipped the script and showed how security vendors scramble to deal with a potential embarrassment.
Rapid7, as it turns out, handled vulnerability scanning and point-of-sale inspections for Hannaford.
Here's a snippet from an August 2006 press release (.pdf):
BOSTON - August 15, 2006 - Rapid7 today announced that the Hannaford Bros. Co. has purchased NeXpose, its award-winning enterprise vulnerability management solution, to perform network security scanning in compliance with the Payment Card Industry (PCI) Data Security Standard.
NeXpose will be used to scan devices in Hannaford's networks and at point-of-sale in its 158 retail supermarkets and food and drug stores, ensuring the protection of customers' credit card data and other information. Rapid7 is a MasterCard-approved security scanning vendor as part of the MasterCard Site Data Protection (SDP) Program.
As Hannaford explained in its FAQ on the breach (we don't know yet how the breach occurred), the stolen data was accessed from Hannaford's computer systems during the card verification transmission process in transactions.
Funny enough, the folks at Attrition.org caught Rapid7 trying to wipe all references to Hannaford from its Web site.
Hannaford was removed from Rapid7's page listing customers and the PDF file linked above also disappeared. At midnight last night, I was able to use Google's cache to confirm Attrition.org's findings.
This morning, Hannaford suddenly reappeared on Rapid7's site with this note:
While Hannaford Brothers have confirmed that a recent breach resulted in the theft of sensitive data, Hannaford has also confirmed that NeXpose continues to provide exceptional vulnerability management and outstanding remediation reporting and that no systems within the NeXpose scan network contributed to the loss of data. Visit www.rapid7.com today to understand how NeXpose can be used to provide advanced protection against unauthorized data access.
It appears that someone got wind of the Attrition.org expose and is trying hard to salvage the situation.
This episode underscores the conundrum faced by aggressive marketers (and PR types) when trying to hype a product's capabilities, especially in the computer/network security space.
Instead of being honest about the realities, marketers offer silver bullets. We've all seen these ridiculous promises -- Total Protection (McAfee), Hacker Safe (McAfee, again), blocks all types of threats (Panda).
Last week, at the SourceBoston conference, this was an issue discussed brilliantly by Yankee Group's Andrew Jaquith, who pleaded with marketers to stop with the outlandish promises.
It won't end, of course. But, as Rapid7 found out, it can be a major embarrassment.