For a few months earlier this year, the personal data of customers of the Schnucks supermarket chain was exposed to hackers whose work went undetected until after a card processing company issued an alert about fraudulent activity on a handful of credit and debit cards used at the stores.
Even after the alert was issued, it took a while to determine the cause and close the breach. In an initial probe, Schnucks quickly ruled out insider theft or faulty point-of-sale machines as causes. The St. Louis-based retailer then hired Mandiant, a cybersecurity firm, to pursue the investigation, but even Mandiant's specialists needed about two weeks to find and plug the breach, and then secure the company's systems.
Analysts say such delays in finding and closing breaches could grow more common because hackers are getting more sophisticated and the security tools needed to keep them at bay are mostly still in development.
To continue reading, register here to become an Insider It's FREE to join Learn More
Already an Insider? Sign in
Computerworld - For a few months earlier this year, the personal data of customers of the Schnucks supermarket chain was exposed to hackers whose work went undetected until after a card processing company issued an alert about fraudulent activity on a handful of credit and debit cards used at the stores.
Even after the alert was issued, it took a while to determine the cause and close the breach. In an initial probe, Schnucks quickly ruled out insider theft or faulty point-of-sale machines as causes. The St. Louis-based retailer then hired Mandiant, a cybersecurity firm, to pursue the investigation, but even Mandiant's specialists needed about two weeks to find and plug the breach, and then secure the company's systems.
Analysts say such delays in finding and closing breaches could grow more common because hackers are getting more sophisticated and the security tools needed to keep them at bay are mostly still in development.
The difficulties encountered by the Schnucks security team and the security experts from Mandiant show how good online attackers are getting at concealing their tracks, said Avivah Litan, an analyst at Gartner. "You'd think they would have figured out what to shut off or at least how to control traffic" to stop data leaks, she added.
Increasingly, attackers are resorting to techniques like hiding stolen data inside legitimate files and encrypting data to evade detection, she said. "They cloak their malware or hide it within seemingly innocuous files so that it's very difficult to detect," she said.
"[Today's] network and enterprise security tools are not smart enough to detect the hacking when it occurs," and they might not even uncover such activity in a matter of hours or even days, Litan said.
"What's needed -- and what some tech startups are working on -- is behavioral modeling, baselining and profiling of all nodes and communication ports in an internal network," she said, adding that such tools would be able to detect abnormal activity and communications that occur for as little as a few seconds a week.
But developing such tools is a challenge. "This is difficult to pull off without a lot of false positives and noise in the system," Litan said.
Jim Huguelet, principal of the Huguelet Group, said the fact that it took so long to isolate the cause of the Schnucks breach "could indicate that the malware was custom-written for Schnucks' environment or utilized unique techniques to hide its existence."
"The number of cards compromised is significant given the relatively small size of the Schnucks chain and just proves that retailers of all sizes must be diligent in their protection of their payment processing systems," said Huguelet, whose firm advises companies on how to comply with credit card security standards.
The Schnucks probe eventually determined that about 2.4 million credit and debit cards used by customers at 100 stores and 96 in-store pharmacies in five Midwestern states were exposed to hackers between December 2012 and March 30.
The company launched an internal investigation on March 14, hired Mandiant five days later and publicly disclosed the breach on March 30.
Officials of the supermarket chain didn't respond to requests to comment further on the breach or the investigation into it.
