Re: Two weeks to contain a security breach?!?!? (fwd)

["Roy M. Silvernail" <roy () rant-central com>]

security curmudgeon wrote:
> ---------- Forwarded message ---------- From: Richard M. Smith
> <rms () computerbytesman com>
>
> "Hannaford became aware of the breach Feb. 27. Investigators later 
> discovered that the data breach began on Dec. 7; it wasn't contained
> until March 10, said Carol Eleazer, Hannaford's vice president of
> marketing in Scarborough."

Speaking as someone who is at risk from this breach (I shop at Hannaford
weekly, if not more often), I have to wonder about one detail that has
been mentioned but not extensively discussed.

Hannaford's web site has a sort-of press release that includes this quote:

> The intrusion affected Hannaford stores, Sweetbay stores in Florida
> and certain independently-owned retail locations in the Northeast
> that carry Hannaford products.

Why would "independently-owned retail locations... that carry Hannaford
products" settle their credit card transactions over Hannaford's
network?  I would expect that an independent retailer would be settling
credit card transactions over their bank's system, or perhaps using a
consolidation broker.

Am I just naive?
-- 
Roy M. Silvernail is roy () rant-central com, and you're not
"It's just this little chromium switch, here." - TFT
http://www.rant-central.com
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml