Followup: Hannaford Used Rapid7 for Security

Hannaford Brothers Supermarkets didn’t know much about cybersecurity, but then again, most companies don’t.   Companies that don’t use a full-time infosec staff rely on security providers to assess their network and provide solutions that fit their size and need, and hopefully, provides protection for them at an acceptable level of risk.  Then those companies carry on with what they do best, which is running a business.  In Hannaford’s case, that business is selling groceries at a good price.

Hannaford had turned to a company called Rapid7 to secure their network, their webservers, and most importantly, protect their credit card processing information from hackers.  When news of the massive data breach reached the home offices of Rapid7, the security company immediately assembled a team of crisis managers to tackle the issue.

No, they didn’t deploy a forensics team to Hannaford to help contain the data breach.  Instead, Rapid7 scrubbed all mentions of Hannaford from their client list. Rapid7 obviously didn’t want to be associated with one of the largest dataloss incidents in history, and they certainly didn’t want to sully the name of their flagship appliance, the “neXpose” which is a vulnerability scanning device.

This information is from Attrition.Org, an online security community that has been around since the predawn of the dot-com boom.  They have an outstanding article, with screenshots here, where they are much less kind to Rapid7 in light of their cowardly actions.

These shenanigans provide a teaching opportunity.

  • First and most obvious, you can’t try to coverup associations with your customers, especially if you so proudly flaunted your relationship on your corporate website.
  • Second if you are a security company and you maintain a comprehensive list of all of your customers on a public website, you expose them to hack attacks should a vulnerability ever arise in your own product.  That customer list turns into a hacker’s menu.
  • Third, if you are a private company and are forced to be included on a security company’s client list as a condition of purchasing their product, go with another vendor.
  • Finally, companies should choose a vendor that is there to help you in the worst case scenario.  Not a company that will scrub all memory of you from their website when the chips are down.



16 Responses to Followup: Hannaford Used Rapid7 for Security