Followup: Hannaford Used Rapid7 for Security

Hannaford Brothers Supermarkets didn’t know much about cybersecurity, but then again, most companies don’t.   Companies that don’t use a full-time infosec staff rely on security providers to assess their network and provide solutions that fit their size and need, and hopefully, provides protection for them at an acceptable level of risk.  Then those companies carry on with what they do best, which is running a business.  In Hannaford’s case, that business is selling groceries at a good price.

Hannaford had turned to a company called Rapid7 to secure their network, their webservers, and most importantly, protect their credit card processing information from hackers.  When news of the massive data breach reached the home offices of Rapid7, the security company immediately assembled a team of crisis managers to tackle the issue.

No, they didn’t deploy a forensics team to Hannaford to help contain the data breach.  Instead, Rapid7 scrubbed all mentions of Hannaford from their client list. Rapid7 obviously didn’t want to be associated with one of the largest dataloss incidents in history, and they certainly didn’t want to sully the name of their flagship appliance, the “neXpose” which is a vulnerability scanning device.

This information is from Attrition.Org, an online security community that has been around since the predawn of the dot-com boom.  They have an outstanding article, with screenshots here, where they are much less kind to Rapid7 in light of their cowardly actions.

These shenanigans provide a teaching opportunity.

  • First and most obvious, you can’t try to coverup associations with your customers, especially if you so proudly flaunted your relationship on your corporate website.
  • Second if you are a security company and you maintain a comprehensive list of all of your customers on a public website, you expose them to hack attacks should a vulnerability ever arise in your own product.  That customer list turns into a hacker’s menu.
  • Third, if you are a private company and are forced to be included on a security company’s client list as a condition of purchasing their product, go with another vendor.
  • Finally, companies should choose a vendor that is there to help you in the worst case scenario.  Not a company that will scrub all memory of you from their website when the chips are down.
Advertisement





16 Responses to Followup: Hannaford Used Rapid7 for Security

  1. Apparently (according to the vendor, anyways) Hannaford asked the vendor to correct the information on their website:

    http://www.networkworld.com/community/node/26143

    So the breach happened in a retail system which was not scanned by the vendor…although if TJX taught us anything, I think we should not rush to judgement until the investigation is done (remember how the story with TJX kept changing every week for a couple months)

    • Berr, thanks for the handy link. the article is changing with updates. It seems that Rapid7 took it down, and then made sure it was okay with hannaford, but then someone at the company said it was no need to purge the info. Sounds like pandemonium at rapid7.

      From the updated article: "Regarding why the Hannaford materials reappeared hours ago, Matthews says: "When I got involved yesterday afternoon I said, 'Well, there's no reason to do this; no one has actually asked us to do this. We should just put it back up the way it was."

      Regarding how the breach actually happened? You are right, the investigation is not yet complete. I never blamed Rapid7 or its product for the failure of Hannaford's security. The failure is ultimately Hannaford's, as they assume the risk to ensure their network is secure.

      I do blame Rapid7 for shooting themselves in the foot by screwing around with their website in light of the breach. It makes them look very amateurish.

  2. Pingback: BelchSpeak » Post Topic » Hannaford Data Breach Tied to Rapid7

  3. I see a Hannaford logo on the right-hand side of their client list. Probably a haxor broke into their site and re-added it…..

  4. I see a Hannaford logo on the right-hand side of their client list. Probably a haxor broke into their site and re-added it…..

  5. Apparently (according to the vendor, anyways) Hannaford asked the vendor to correct the information on their website:

    http://www.networkworld.com/community/node/26143

    So the breach happened in a retail system which was not scanned by the vendor…although if TJX taught us anything, I think we should not rush to judgement until the investigation is done (remember how the story with TJX kept changing every week for a couple months)

    • Berr, thanks for the handy link. the article is changing with updates. It seems that Rapid7 took it down, and then made sure it was okay with hannaford, but then someone at the company said it was no need to purge the info. Sounds like pandemonium at rapid7.

      From the updated article: “Regarding why the Hannaford materials reappeared hours ago, Matthews says: “When I got involved yesterday afternoon I said, ‘Well, there’s no reason to do this; no one has actually asked us to do this. We should just put it back up the way it was.”

      Regarding how the breach actually happened? You are right, the investigation is not yet complete. I never blamed Rapid7 or its product for the failure of Hannaford’s security. The failure is ultimately Hannaford’s, as they assume the risk to ensure their network is secure.

      I do blame Rapid7 for shooting themselves in the foot by screwing around with their website in light of the breach. It makes them look very amateurish.

  6. I think it's more likely that Hannaford's asked to be removed from the web site, which would be consistent with standard business practice after an incident… Maybe. I don't know.

  7. I think it’s more likely that Hannaford’s asked to be removed from the web site, which would be consistent with standard business practice after an incident… Maybe. I don’t know.

  8. Pingback: » Security vendor removes Hannaford as a client on their site after data breach is revealed! - Blogger News Network

  9. Rapid7 is a joke. They have been pitching this crap software to me for months. Their product demo was the most absurd call I have ever been apart of. I have been blowing off their sales calls recently, but now I hope they call and try to sell me on their program!

  10. Rapid7 is a joke. They have been pitching this crap software to me for months. Their product demo was the most absurd call I have ever been apart of. I have been blowing off their sales calls recently, but now I hope they call and try to sell me on their program!