Abandon Ship! Data Loss Ahoy!

Tue Mar 18 16:10:57 EST 2008



You are a security vendor. You sell the mightiest security doohickey the world has ever seen. It does it all, including "...ensuring your network is safe from hackers..." and amazingly it "...scans for Web site and database vulnerabilities that hackers can use to capture credit card information without you being aware". Since your doohickey does what no others have ever successfully managed to do, you can tout your client list proudly, and pimp your customer implementations liberally.


One of your customers joins the etiolated top 10 with a massive hacker perpetrated data loss incident.


Your coveted client list is suddenly...humiliating! Thankfully, your doohickey is backed by an efficient public relations and crisis control team. Pagers go off everywhere, and the PR team assembles in the situation room. The client list is wiped of the owned customer and the mutual masturbation/press release mentioning the client removed, eliminating all signs of imperfection.


Situation averted. You wash your hands of the incident, and go on your merry way selling the ultimate doohickey, "ensuring your [customers'] network is safe from hackers..." once again.

Interestingly, a curious number (Hannaford makes #7) of your client list appears on DLDOS, apparently while a customer of Rapid7's according to archive.org. While not all of the dataloss incidents were the result of hacking, many of the clients still remain on the "customers" page, avoiding the rug-job that Hannaford received. Not scrubbing the page of the other clients leads one to ask why Hannaford got special treatment.

Was Hannaford PCI compliant? According to Hannaford at the time of this writing, they are:

Hannaford Supermarkets has been certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is recognized as the accepted industry security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations protect customer credit and debit card account data.

According to the recently vanished PDF, Hannaford received PCI certification with the help of Rapid7:

Rapid7 today announced that the Hannaford Bros. Co. has purchased NeXpose, its award-winning enterprise vulnerability management solution, to perform network security scanning in compliance with the Payment Card Industry (PCI) Data Security Standard.

Will they lose their PCI compliancy status as a result? Will Rapid7 lose their ASV status? What of their assessor?

All of these questions and no answers. Anyone taking bets if they go completely unanswered?


Update 1 (Mar 19 2008, 14:15 EST):

Rapid7 has replaced most of the material mentioned in this article, possibly in light of this rant and the coverage it has received.

Also, we did receive a reply from R7, which was missed as a result of a 108.6 spamassassin score, shown here.

Copyright attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given. Parody images copyright d2d, logos appearing within parody are copyright their respective owners. This piece is merely a compilation of observations based on information we and others found. We are not accusing anyone of anything. Rapid7 was contacted and asked for comment, no reply was received. They did respond, see updates. Special thanks to rchick for for digging this up.

main page ATTRITION feedback