Move over “Heartland-gate”, make room for “Walmart-gate” :-)
Wired uncovers a very fun story here. The juiciest quotes follow below:
On intruder goals:
“hackers targeted the development team in charge of the chain’s point-of-sale system and siphoned source code and other sensitive data”
“at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company networks in unencrypted form.”
On intrusion discovery (Was is … an IDS maybe? Ha, not funny!):
“a fortuitous server crash led administrators to a password-cracking tool that had been surreptitiously installed on one of its servers”
“The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”
Please read the above line again! Again! AGAIN!
On some spoils of war:
“one of the documents that flew off to Minsk from a programmer’s machine was titled“POS Store Systems Technical Specifications TLOG Encryption and Financial Flows.” […] The hackers also stole or accessed files containing point-of-sale source code and executables, as well as additional proprietary documentation detailing the company’s transaction processing network.”
On PCI role:
“Wal-Mart says it received a number of [PCI DSS compliance validation] deadline extensions […] … became certified as PCI-compliant in August 2006 by VeriSign. After it discovered the breach in November 2006 …”
Read the whole thing, will ya?!