% fortune -ae paul murphy

An (Imaginary?) Hannaford Conspiracy

The regularity with which geezers like me see history repeating itself suggests some combination of memory influencing perception with an amazing continuity in the forces driving human behavior. Worse, our perceptions of what happened then may be wrong but influence our interpretations of what's happening during the perceived re-run anyway, and this is, I think, a risk in terms of my perception of what's going on with Hannaford.

Hannaford's, as most IT people know, recently suffered a data theft possibly affecting as many as 4.2 million customers - but what you may not know is that the first major lawsuit based on this arrived within forty-eight hours of Hannaford's disclosure announcement. To me that seems awfully fast, but bear in mind that what I'm saying about the whole mess in this blog is highly speculative - because the facts simply aren't available yet.

The blast from the past here comes from 1987 and 1988. In 1987 someone released a replication script using IBM's PROFS email system that brought IBM's worldwide mainframe network to a painful and embarrasingly public halt. Among many responses was the sudden emergence of a constituency for political action on computer crime and consequent pre-positioning by various groups eager to leverage the next attack as a vehicle for legal and political action aimed at criminalizing actions bringing down computer services.

When the 1988 Morris usenet worm hit I followed instructions on cleaning up the Vaxen and dismissed it just another student experiment gone wrong - but there was an unrelated agenda for action which, when the scope of the response became clear, I put down to the publicity given the IBM disaster and consequent unflattering comparisons to the reliability of Unix e-mail.

Unfortunately for Morris he was everything those angry about the PROFS disaster could have hoped for: young, geeky, arrogant, far too honest for his own good, committed to that dreadfall upstart Unix, and too poor to mount a significant defence - so while Computerworld's columnists raved about the horror of it all (and Microsoft firmly kept its mouth shut) he was duely convicted under the computer Fraud and Abuse Act (Title 18) and later sentenced to three years probation, 400 hours of community service, and assessed a $10,800 fine.

Of course, that was then, and Hannaford is now - so why am I seeing parallels?

First there's speed and ferocity of response. I've been saying for years that data security would sooner or later become the subject of a class action lawsuit and that using Windows for secure data will then turn out to be a common, but not best, industry practice. A high profile lawsuit like this, in other words, was in the cards - but there's a process for getting to court that starts with a lawyer-client interview and generally takes at least a couple of weeks.

In the Hannaford case, however, the company announced the data leak on Monday March 17th, 2008 and the Philadelphia law firm of Berger & Montague, PC, filed a major class action against them on March 19th.

Here's part of their press release on this:

Philadelphia (March 19, 2008) - On March 19, 2008, the law firm of Berger & Montague, PC filed a class action suit in the U.S. District Court for the District of Maine on behalf of all consumers in the United States whose credit card or debit card data was stolen from the computer network of Hannaford Brothers Co. ("Hannaford") supermarkets.

The complaint alleges that Hannaford was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker.

On March 17, 2008, Hannaford announced on its website that there was a "data intrusion into its computer network that resulted in the theft of consumer credit and debit card numbers." The stolen data included "credit and debit card numbers and expiration dates," which were accessed from Hannaford's computer system "during transmission of card authorization." The intrusion affected all Hannaford stores located throughout the North Eastern U.S., as well as Sweetbay stores in Florida.

Published news reports indicated that 4.2 million unique credit and debit card numbers have been exposed to potential fraud. To date, there have been approximately 1,800 cases of reported credit and debit card fraud stemming from the breach.

That's fast - very fast - less than forty-eight hours from confession to filing; so I'm guessing they were primed, ready, and just waiting for the opportunity to pounce.

But why pick on Hannaford? The company's owners have deep pockets, but they're out of reach and there'll be no billion dollar payday coming out of the company's American assets. More interestingly, a quick look at the chronology of data breaches suggests that there were more than enough easier pickings available - with deep pocket organizations including Blue-Cross Blue-Shield of Western New York, Harvard University, and the Utah Division of Finance all admitting potentially more individually damaging data breaches in the two weeks prior to Hannaford's announcement.

So what makes Hannaford an attractive target? The most obvious thing that's different about them is that they're an IBM mainframe customer which rejected an IBM POS system and then received a lot of positive publicity for using Linux as one component in a mashup of its own.

Here, for example, is the first part of a January 2005 Computerworld story by Thomas Hoffman:

Hannaford Brothers Co. has already received productivity and cost-avoidance windfalls from an ongoing point-of-sale system replacement project that will cost between $10 million and $20 million, executives at the grocer said last week.

The new Linux-based POS systems have been installed in about two-thirds of the company's 140-plus supermarkets in New England and New York. Hannaford Bros., a division of Brussels-based Delhaize Group, expects to complete the implementation of the thin-client systems by October, said CIO Bill Homa. The systems, which are supported by 12 vendors of servers, software, printers and other peripheral devices, replace 15-year-old Fujitsu Ltd. technology based on OS/2 Version 1.3, according to Homa.

So what's the deal here? I don't think there's enough information out yet to form any actual conclusions - but I saw the Morris business as scores being settled and points made, and I think there may be a basis for seeing the Hannaford lawsuits in broadly the same way.

If so, I think the law firm may have jumped the gun because when push comes to court on this I think the odds are very good that Linux will turn out to have had nothing to do with the data breach - and that thought leads to a testable prediction about my little conspiracy theory.

If this case is really about damage done as a result of that data data breach, then whether the attackers exploited soft targets like the network or payment processing software instead of Linux will have nothing to do with the extent or reality of those damages - but if there's a basis to my paranoia we can expect to see a crescendo of publicity on this case only if it turns out that the Nixdorf Linux machines were exploited - and the descent of a nearly complete veil of silence if (as I think more likely) Linux had nothing to do with it.

So stay tuned - and the less we hear about this case, the more likely it will seem to me that Linux, and non IBM linux at that, was specifically targetted - and by the lawyers, not the hackers.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.