Wal-Mart victim of serious security breaches in 2005 & 2006
October 13, 2009
It's now confirmed that Wal-Mart was the victim of a serious Internet security breach back in 2005 and 2006. Hackers targeted the Wal-Mart development team in charge of the chain’s PoS (point-of-sale) system and successfully managed to transfer source code and other very sensitive data to a computer in Eastern Europe.
Wal-Mart acknowledged the hack attack, which it calls an “internal issue,” since no sensitive customer data was stolen. The company then said it had no obligation to disclose the breach publicly, but did so because of mounting speculation and many reporters' phone calls to the company's head offices in the last week.
Overall, internal documents suggest for the first time that the U.S.' largest retailer was among the earliest targets of a wave of cyberattacks that went after the bank-card processing systems of brick-and-mortar stores around the U.S. beginning in 2005.
The various details of the breach and Wal-Mart’s many challenges in reconstructing what happened shed new light on the vulnerable state of retail security at the time, despite card-processing security standards that had been in place such as PCI-compliant certification.
To be sure, Wal-Mart did uncover the breach in November 2006, after a fortuitous server crash led system administrators to a password-cracking tool that had been surreptitiously installed on one of its servers.
Wal-Mart’s initial probe traced the intrusion to a compromised VPN account, and from there to a computer in Minsk, Belarus.
The retailing giant had a number of other security vulnerabilities at the time of the attack, according to internal security assessments seen by Wired.com, and acknowledged as genuine by Wal-Mart. For example, at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company servers in unencrypted form.
Wal-Mart says it was in the process of dramatically improving the security of its transaction data, and in 2006 began encrypting the credit card numbers and other customer information, and making other important security changes.
This latest discovery set off an investigation that swept in outside security consultants and corporate attorneys to determine what the hackers had touched, and whether the company was required to report the intrusion, and to whom, the documents reveal.
Wal-Mart says it has notified federal law enforcement agents, who were working on other ongoing investigations involving similar breaches. In 2005, similar attacks were occurring at TJX, Dave & Buster’s restaurants and other companies, which ultimately resulted in more than 100 million cards being compromised.
Albert Gonzalez, a 28-year-old Miami man, pleaded guilty this month to carrying out many of those breaches with other hackers, and is facing unresolved charges for the remainders.
The Wal-Mart intrusions began unraveling on Nov. 5, 2006, when the company’s IT security group was brought in to investigate the server crash. Wal-Mart has thousands of servers nationwide, and any one of them crashing would ordinarily be a routine event. But this one really raised a very red flag. Someone had installed L0phtcrack, a password-cracking tool, onto the system, which crashed the server when the intruder tried to launch the program.
Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company.
The day the server crashed, the intruder had been connected to Wal-Mart’s network for about seven hours, originating from an IP address in Minsk, the documents prove.
Get the best Linux or Windows Web hosting plan for your website.
When Wal-Mart reviewed its VPN logs, it found that the activity had begun at least as early as June 2005, according to memos written by Wal-Mart employees during the initial stage of the investigation. The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.
Wal-Mart declined to respond to questions about the initial date of the attack, the server log files or the conclusions it had reached in its final report.
Wal-Mart's security team had disabled the compromised VPN account, but the intruder, who by then should have realized the game was over, came back in through another account, this time belonging to a different Canadian employee that has also left the company since that time.
When that VPN account was closed, the intruder grabbed yet a third account while Wal-Mart workers were still scrambling to get a fix on the scope of the breach. Wal-Mart’s security team was able to identify “over 800 servers that the attacker either tried to brute force or actually made a successful SSH or RDP connection,” according to a Nov. 10, 2006 email summarizing the early Wal-Mart investigation.
Many servers that the hackers targeted belonged to company programmers, the documents show. Wal-Mart at the time produced some of its own software, because the company couldn’t find off-the-shelf applications that scaled to its size, the investigator says.
One team of programmers was tasked with coding the company’s PoS (point-of-sale) system for processing credit and debit card transactions. This was the exact team the intruders targeted.
“They weren’t port scanning, they weren’t ping tracing, they weren’t groping blindly in the dark trying to find a nugget,” says the investigator. “They knew what they were going for and they were all over it: PoS.”
At the time Wal-Mart discovered the security breach, it had been encrypting its transaction data for at least three months. It began to do so after a security audit performed for the company in December 2005 found that customer data was poorly protected.
Wal-Mart then commissioned the probe from security auditors at CyberTrust as part of its efforts to become compliant with PCI (Payment Card Industry) security standards that were already established in June of 2001.
Enforced by credit card issuer Visa, top-tier companies such as Wal-Mart were theoretically required to be in compliance with the standards by mid-2004. Wal-Mart also acknowledged that it had received a large number of deadline extensions at the time.
The intruders’ interest in Wal-Mart’s point-of-sale system is consistent with large data breaches that occurred at other companies around the same period of time. In the spring of 2005, associates of TJX hacker Albert Gonzales hacked into the point-of-sale system of a Marshall’s clothing store in Minnesota.
The hackers pointed an antenna at the store to grab data as it streamed over the store’s vulnerable Wi-Fi network, then used the data to gain access to the central transaction database of TJX, Marshall’s parent company.
CyberTrust has examined networks at five Wal-Mart locations: three Wal-Mart stores in Missouri and Oklahoma, and two other Wal-Mart-owned businesses — a Sam’s Club store in Missouri and a Neighborhood Market in Arkansas, according to a report the auditors wrote.
The assessment lasted no less than 6 days, during which CyberTrust found numerous problems. For example, each of the 5 stores housed complete backup copies of transaction logs on network-connected Unix servers, which included at least four years’ worth of unencrypted credit card numbers, cardholder names and expiration dates from purchases at the stores.
The security auditors also discovered that servers, transaction processing systems and other network-connected hardware devices handling sensitive information used the same usernames and passwords across every Wal-Mart store nationwide!
Worse, in some cases, the passwords could be easily guessed. A hacker or malicious insider who compromised a PoS controller or in-store card processor at one store, could “access the same device at every Wal-Mart store nationwide,” CyberTrust wrote.
CyberTrust also found some very sensitive customer information stored unencrypted on pharmacy computers at four of the stores, including customer names, home addresses, Social Security numbers, genders, credit card numbers and expiration dates.
“A long-term, undetected compromise of Wal-Mart RXP system could also allow a virtually endless supply of customers’ names, addresses, and Social Security numbers – the basic ingredients for identity theft,” CyberTrust wrote in its report.
It added “Wal-Mart runs the risk of losing not only the sensitive information, but also their customers’ hard earned trust,” the auditors added.
The Wal-Mart security report was dated Jan. 9, 2006, or well over nine months before the company discovered the breach.
After that, Wal-Mart turned over memory dumps and at least 31 forensic images of machines and servers to Stroz Friedberg, a forensic investigations firm, for further analysis. Various emails exchanged by team members eight days after the intrusion was detected show the company furiously searching firewall and intrusion detection logs for suspicious activity.
The emails also discuss shutting down the entire VPN network the intruder used, ordering RSA security tokens to authenticate users to the network, and increasing logging retention on servers.
At one point, one team member sent an unencrypted email update to other Wal-Mart security employees and was harshly criticized by a senior manager who warned him to communicate only through e/pop, a secure instant messaging system.
Wal-Mart’s internal investigators found evidence potentially linking the attack to a suspected breach at a Wal-Mart division a year earlier. The forensic trail showed that the machine in Belarus that breached Wal-Mart’s VPN had tried to log on to a machine belonging to Sam’s Club, Wal-Mart’s membership store chain, in 2005.
Overall, PCI certification doesn’t guarantee the security of bank card data. Numerous companies that experienced serious bank card breaches in recent years were certified PCI compliant at the time they were breached.
But there's no question that Wal-Mart suffered a sizable breach of credit or debit card data from either Sam’s Club in 2005 or from its main network in 2006.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing