Home » Data Protection » PCI and Compliance

Converging Physical and Cyber Security at Stop & Shop

Supermarket chain CISO John Kirkwood speaks out about the latest evidence of why physical security and information security can't be approached separately.

March 09, 2007 — CSO — Thirty seconds. That's about how long it took for criminals to subvert both the information security and physical security precautions put in place by the supermarket chain Stop & Shop.

As you probably know by now, Stop & Shop is warning customers in Rhode Island and Massachusetts that it had a security breach. Not a huge one (at least by the look of it so far), but still a doozy, in which criminals went into at least six stores and tampered with Electronic Funds Transfer units. These are the point of sale devices, more commonly known as PIN pads, where credit and debit card customers swipe their cards and enter personal identification numbers.

John Kirkwood, global information security officer for Royal Ahold, Stop & Shop's Amsterdam-based parent company, says that it took criminals, operating late at night when the store was thinly staffed, about half a minute to replace a legitimate check-out device with a phony one that, in addition to doing what the legit device was supposed to do, also captured card numbers and PINs for the criminals to retrieve later. It's a scam similar to cash machine "skimming," in which criminals tamper with automatic teller machines to nab bank account information from unsuspecting users.

"They would come in and replace a machine that was a perfectly good encrypted machine with a machine that was designed to be able to harvest and store the information," Kirkwood says. "You don't think that people are going to come in and, in a concerted, gang-like way, target PIN pad machines."

Except that's exactly what happened. So Stop & Shop failed, right? Well, not exactly. The whole point of risk management is to do your best and adjust as you go. When you find a problem, you fix it. That's exactly what Stop & Shop is doing now.

For one thing, Kirkwood says, the company has completed awareness training for employees about this PIN pad threat. In fact, it was employees who noticed "suspicious activity" at the front of the store in Coventry, Rhode Island, one night last week and contacted the local police. The Coventry police department then arrested four men who had, it seems, come back to reclaim the tampered-with machines and retrieve the information they held. (The men were from California, and the Secret Service is investigating; I can only speculate that the full extent of the damage extends far beyond six grocery stores in New England.)