By Jaikumar Vijayan
April 22, 2008
Executives at Hannaford Bros. Co. said today that the grocer expects to
spend "millions" of dollars on IT security upgrades in the wake of the
recent network intrusion that resulted in the theft of up to 4.2 million
credit and debit card numbers from its systems.
The planned upgrades include the installation of new
intrusion-prevention systems that will monitor activities on Hannaford's
network and the individual systems at its stores, plus the deployment of
PIN pad devices featuring Triple DES encryption support in store
Hannaford also has signed on IBM to do around-the-clock network
monitoring under a managed security services deal, according to Ron
Hodge, the grocer's president and CEO, and Bill Homa, its CIO. In
addition, the Scarborough, Maine-based company had said previously that
it had replaced all of the servers in its stores as part of an effort to
rid its network of malware that was placed on them during the intrusion.
Hodge said during a press conference this morning that Hannaford is
working with IBM, General Dynamics Corp., Cisco Systems Inc. and
Microsoft Corp. on the upgrade program, which is aimed at putting
"military- and industrial-strength" security controls in place. The
total price tag for the security upgrades will be "a big number," he
added, although the exact cost has yet to be determined. "It's going to
be millions, but not tens of millions," Hodge said.
The only specific cost that he broke out was about $5,000 per store for
the host-based intrusion-prevention tools that will be installed on
local systems. Hannaford said previously that the data breach involved
payment card transactions processed at nearly 300 stores . all of its
165 supermarkets in New England and New York, plus 106 stores operated
under the Sweetbay name in Florida and 23 independently owned markets
that sell Hannaford products. If the intrusion-prevention technology is
deployed at each of those locations, the tab for that part of the
upgrade program alone would amount to $1.5 million.
Hannaford disclosed on March 17 that unknown intruders had broken into
its computer network and stolen the credit and debit card numbers as
well as their expiration dates. In a letter sent to Massachusetts
officials eight days later, the company said that the perpetrators had
planted malware on the servers at each of the 294 affected stores.
The malware intercepted the card data as it was being transmitted from
point-of-sale systems to authorize transactions, then forwarded the
information in batches to a server located overseas, according to
Hannaford. The incident at the grocery chain and a similar one reported
two weeks later by the Okemo Mountain Resort ski area in Vermont
indicate that cybercrooks are now targeting data that's in transit
between systems, when it may not be encrypted or as well protected as
stored data is.
During this morning's teleconference, which Hannaford held to provide an
update on the measures it has been taking since the breach was
discovered, Homa said that the security upgrades are focused on
improving the company's "deterrence, prevention and detection"
capabilities. Over the next 18 months or so, Hannaford plans to bring
its security management processes into compliance with the ISO 27001
security standard, he added.
The managed security service being provided by IBM will deliver
real-time intrusion alerts to Hannaford and help the company identify
threats and direct resources to counter them more quickly than it could
before, Homa said. He noted that the new PIN pad devices with Triple DES
support will be installed at all stores over the next few months, as
part of a plan to ensure that cardholder data is encrypted within
Hannaford's internal network.
Hodge described the network intrusion as one of the biggest challenges
that Hannaford has faced in its 100-plus-year history, and "the biggest
challenge in my tenure as CEO." He acknowledged that the breach may have
caused concerns among Hannaford customers about the possibility of fraud
and identity theft, and said that the company's goal is to assure
shoppers of its commitment to securing their data going forward.
However, Hodge didn't release any new information about the breach
itself or how it might have happened, citing an ongoing investigation of
Hannaford's efforts to shore up data security in the aftermath of the
breach may help it prevent similar intrusions in future, but the company
still may find itself having to explain why it hadn't implemented such
measures in the first place. At least two class-action lawsuits have
been filed against Hannaford, charging it with negligence and breach of
promise for allowing the intrusions to happen.
If the fallout from the massive data compromise disclosed early last
year by The TJX Companies Inc. is any indication, Hannaford could find
itself facing claims similar to those filed against TJX by banks and
credit unions seeking reimbursement for the cost of issuing new payment
cards to their customers. Altogether, TJX has spent or set aside about
$250 million thus far to cover costs related to its breach.
Hannaford has said that it was compliant with the Payment Card Industry
Data Security Standard, or PCI, when the network intrusion took place
between Dec. 7 of last year and March 10. The PCI standard is mandated
by the major credit card companies to try to protect card data while
it's on the systems of retailers and other merchants. But it remains to
seen whether the compliance certification issued to Hannaford by an
outside assessor will help the company defend itself against the
class-action lawsuits and the reimbursement claims.
Subscribe to the InfoSec News RSS Feed