InfoLawGroup LLP

View Original

More Evidence of Hannaford-like Exploits?

While I will have to defer to my tech/security-oriented friends, we have reports of exploits that may be similar to the one suffered in Hannaford: Vermont ski area reports Hannaford-like theft of payment card data.This exploit may be more common than just Hannaford:

And Hannaford and Okemo may not be the only businesses disclosing breaches involving payment card data in transit between systems. According to McPherson, law enforcement authorities who are investigating the breach at Okemo told resort officials that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.

So what does this all mean? Do the controls required under the PCI Standard address this issue? What about encryption under 4.1 and the language concerning "networks that are easy and common for a hacker to exploit." In general, has the security community anticipated this sort of attack? Is it reasonably foreseeable that hackers would exploit the point-of-sale systems? Legally, is failure to address this type of exploit "unreasonable" for purposes of negligence claim?