What’s Different?

If you’ve been following the press on the recent Hannaford grocery chain’s data breach, you may have noticed something a bit different. Those differences mean that this could be the worst data breach ever in terms of financial impact on both the issuers and the card holders.

According to all the reports, it was a large number of cards, but small potatoes in comparison to the TJX breach of last year. 4.2 million accounts isn’t small, but against the possible 90 million from TJX it’s a drop in the bucket. Two things make this one different. First, it appears Hannaford was fully PCI compliant. Even Visa and MC have said so - at least for now. The other factor to this is that it’s starting to look like the majority of the compromised cards were debit cards - not credit accounts. That is a big problem and the banks are scrambling to reissue cards - a LOT of cards.

Analysis

Point of attack

Initial reports are telling us that the breach occurred “in transit from POS terminals.” At this point I think that’s educated speculation, but it certainly has merit. “In transit” makes sense as a practical matter. As more and more merchants become PCI compliant by not storing data, the bad guys are looking to the only place they can get information - in transit. The data is supposed to be encrypted in transit but a lot of what we’re seeing indicates that it isn’t at some point in the transaction, or that the encryption is weak.

Debit or Credit?

The banks are scrambling to issue new cards. According to Gartner’s Avivah Litan, they would only do this if the mag strip data was breached. And think about how many people use debit cars rather than credit cards in a grocery store. Replacing cards costs the issuing banks around $35.00 each. Banks don’t do this casually. Logic tells us that magnetic strip data was compromised and debit cards are being cloned.

They’re being used already

Other than a couple of minor arrests from fraudulent use of data from the TJX breach, we didn’t see much fraud that could be related to the breach. Not so in the Hannaford theft. There are already reports of over 1800 fraudulent transactions that trace directly back to the Hannaford breach. That is a significant number. Until the issuers replace every one of the 4.2 million cards, they are at risk. Much of that risk falls on the cardholder. They don’t have the protection from fraud with debit cards that they do with credit. Make no mistake, merchants aren’t the only ones that will bear the cost of this one. Banks are already hard hit with replacement costs, and any cardholder that’s hit is going to to have a lot of explaining to do.

PCI Compliant?

So about this PCI thing. Were they compliant? PCI is a bit complicated. At it’s best, it’s a moving target and a fuzzy one at that. Hannaford may well have been compliant at their last scan or audit; we’ll probably never know. What we do know is that even the best of security consultants will differ on exactly what constitutes full compliance, but will agree that you can be compliant one day and not compliant the next. And was everyone and everything fully compliant while the breach was ongoing? Only in the ideal world. PCI is good; it isn’t perfect.