It’s been a busy couple of days in the world of cybersecurity. On Friday, two of the largest grocery store chains in the United States – Albertson’s and SuperValu – announced that their payment systems had been hacked. Earlier today, Community Health Systems, operator of 206 hospitals across the United States, announced that hackers have stolen data on 4.5 million patients.
The Albertson’s and SuperValu hacks are believed to have happened between mid-June and mid-July of this year. SuperValu, which Albertson’s identified as its IT-service provider, indicated that the security breech affected credit cards swiped at 228 of its stores. The virtual break-in at Albertson’s likely impacted more than 700 of its 1060 stores. Although it is known that their systems were compromised it is not certain whether the hackers were able to take payment data from their systems.
Seeing similarities between this breach and other retail cyber-attacks, some bloggers are speculating that vulnerabilities in the POS system may have been the entry point for the hackers.
“The companies did not reveal how the card data were stolen, but given the recent outbreak of point-of-sale (POS) hacks at the third-largest U.S. Retailer and other major retailers such as Neiman Marcus and Michaels Stores, the POS systems would be a likely attack vector.”
– Swati Khandelwal, The Hacker News
Although there is not certainty whether customer data was successfully obtained during the Albertson’s and SuperValu hacks, in breaking in to the network at Community Health Systems, hackers made off with data on 4.5 million patients. The security breach exposed customer names, Social Security numbers, addresses, phone numbers and dates of birth – information sufficient for opening fraudulent banks accounts or other malicious activity. Early investigations indicated that the China-based hackers used sophisticated malware to conduct the attacks during April and June of this year.
As we frequently remind our customers, compliance with standards like PCI-DSS for retail and HIPAA for health care is not synonymous with security. These guidelines provide a baseline, but each organization needs to take additional steps to ensure that they have a layered security approach for protecting their critical business systems and customer data. Graham Cluly at Tripwire’s The State of Security blog echoes that notion, writing:
“Hospitals and health agencies need to clean up their act, and work harder to properly protect the valuable personal information that patients entrust to them. Layered defenses that go beyond just relying on traditional anti-virus solutions need to implemented to prevent hackers from breaching computers systems and stop them from exfiltrating sensitive data.”
– Graham Cluly, The State of Security
The steps taken today – reviewing your perimeter, segmenting your network, refreshing security credentials – can provide an important buffer against the relentless threat of cyberattacks. Both retail and healthcare, with their high volumes of customer data and complex, multi-site networks, have vulnerabilities that motivated hackers will continue to exploit.