Security Researchers: Supervalu PoS Breach 'Completely Avoidable'

Written by

Late last week, news broke that a possible data breach at various supermarket chains may have affected 1,000 stores across the US, thanks to hackers being able to install malware on point-of-sale (PoS) systems. Considering that this is only the latest large PoS-related data breach to make headlines in the last few weeks, response from the security community has been less than forgiving.

It all started at supermarket chain Supervalu, which said that about 200 of its grocery and liquor stores (under the brands Cub Foods, Hornbacher's and Farm Fresh) were potentially affected. However, Supervalu also provides technology services to Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets in about two dozen states, widening the scope of the breach to nearly a thousand locations.

Supervalu said that it has identified a "criminal intrusion" that took place between June 22 and July 17 that targeted account numbers, expiration dates and cardholder names from customers who used credit or debit cards at the stores. But, no evidence that the perpetrators actually stole data has yet surfaced.

"The company has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution," Supervalu said.

Even so, the attack follows a number of high-profile breaches at Target, Neiman Marcus, Michaels Stores, Sally Beauty and eBay. All of these incidents have shown that criminals can rather easily leverage existing security weaknesses in corporate networks to gain access to sensitive data and critical PoS systems without being detected. Not making changes to account for this given the ongoing tsunami of headlines about such breaches is equivalent to pure negligence, some researchers told Infosecurity.

Eric Chiu, president and co-founder of HyTrust, said that of particular concern is the time it takes for an organization to discover that it has been compromised.

“The possible Supervalu breach underlines one of the key challenges companies are facing when it comes to security: it takes weeks to months before they even notice they have been breached,” he said. “It is critical that organizations change their security approach -- it should be top of mind for every organization today. Companies must assume they have already been breached, and begin looking at policies and technology that can prevent attackers from getting access to sensitive or regulated data, even if the attackers are inside the network.”

Better visibility is an obvious must. “A multi-layer defense is required, with the combination of solutions that can detect malicious activities not only at the internet edge but especially inside the company’s networks,” said Carmine Clementelli, network security expert at PFU Systems. “These internal network technologies must be able to analyze relationships between multiple communications both from outside and within the network.”

Better data compartmentalization and encryption is also a key, as was determined in the aftermath of the Target hack.

“The continuation of data breaches at the retail or POS level is becoming the favored target for hackers and thieves and these breaches are at epidemic proportions Richard Blech, CEO, Proximity. “A key solution to this problem at the POS or retail IT level is not to avoid any sensitive data passing through these systems, but rather having that data, process encrypted where said data, when compromised, rendered completely useless to the data thief. Part of this encryption process is at the hardware level and not just at the POS software level.”

Retail stores may or may not decide to invest in new security approaches even in the face of a rising tide of incidents, but clearly, claiming ignorance to the risk is a tactic that no retailer can afford.

“By now, every retailer is aware of the risks of malware in the POS, the impact, and the simple fact that being compliant to PCI doesn’t equate to mitigating advanced threats that no doubt again stole the gold in this case,” said Mark Bower, vice president of product management and solutions architecture, Voltage Security, in a note. “The only way to neutralize this risk is to avoid any sensitive data passing in and through the vulnerable POS or retail IT. Hundreds of thousands of merchants already do this today with proven approaches using the latest innovations in data-centric security and are able to brush off such attacks like water off a duck’s back. These risks are totally avoidable – and at a fraction of the cost of the fallout from dealing with the consequences.”

Steve Hultquist, chief evangelist at RedSeal Networks, added: “These investments mean that enterprises must likewise increase their defensive investments, especially in the analysis of potential attack vectors. Simply reacting while attacks are in progress is insufficient. Each enterprise must know its network security architecture and have automated analysis to ensure that the entire end-to-end network complies with its policies. Not doing so is effectively agreeing to be attacked in unknown ways and having to deal with the impacts of a breach.”

The lack of apparent concern is also the problem of executive management, according to Philip Lieberman, president at Lieberman Software. Target of course saw the firing and resignation of several C-level executives, including its CEO.

“This is another example of an incompetent retail CEO incapable of providing leadership and process to secure their organization,” he said via email. “Just as the CEO must manage his staff and assets, the CEO is responsible for protecting the security of his network and his customers.  As in the Target case, the board should fire both the CEO and the senior IT management that allowed this to occur for gross negligence.  Technology and processes exist to eliminate this class of problem, but the CEO chose not to or could not implement them due to lack of knowledge or will.  In any case, termination would be an appropriate outcome to send a message to other CEOs that IT security is the responsibility of the CEO.”

What’s hot on Infosecurity Magazine?