Hannaford to spend 'millions' on IT security upgrades after breach

Hannaford to spend 'millions' on IT security upgrades after breach
Hannaford to spend 'millions' on IT security upgrades after breach 

By Jaikumar Vijayan
April 22, 2008 

Executives at Hannaford Bros. Co. said today that the grocer expects to 
spend "millions" of dollars on IT security upgrades in the wake of the 
recent network intrusion that resulted in the theft of up to 4.2 million 
credit and debit card numbers from its systems.

The planned upgrades include the installation of new 
intrusion-prevention systems that will monitor activities on Hannaford's 
network and the individual systems at its stores, plus the deployment of 
PIN pad devices featuring Triple DES encryption support in store 
checkout aisles.

Hannaford also has signed on IBM to do around-the-clock network 
monitoring under a managed security services deal, according to Ron 
Hodge, the grocer's president and CEO, and Bill Homa, its CIO. In 
addition, the Scarborough, Maine-based company had said previously that 
it had replaced all of the servers in its stores as part of an effort to 
rid its network of malware that was placed on them during the intrusion.

Hodge said during a press conference this morning that Hannaford is 
working with IBM, General Dynamics Corp., Cisco Systems Inc. and 
Microsoft Corp. on the upgrade program, which is aimed at putting 
"military- and industrial-strength" security controls in place. The 
total price tag for the security upgrades will be "a big number," he 
added, although the exact cost has yet to be determined. "It's going to 
be millions, but not tens of millions," Hodge said.

The only specific cost that he broke out was about $5,000 per store for 
the host-based intrusion-prevention tools that will be installed on 
local systems. Hannaford said previously that the data breach involved 
payment card transactions processed at nearly 300 stores . all of its 
165 supermarkets in New England and New York, plus 106 stores operated 
under the Sweetbay name in Florida and 23 independently owned markets 
that sell Hannaford products. If the intrusion-prevention technology is 
deployed at each of those locations, the tab for that part of the 
upgrade program alone would amount to $1.5 million.

Hannaford disclosed on March 17 that unknown intruders had broken into 
its computer network and stolen the credit and debit card numbers as 
well as their expiration dates. In a letter sent to Massachusetts 
officials eight days later, the company said that the perpetrators had 
planted malware on the servers at each of the 294 affected stores.

The malware intercepted the card data as it was being transmitted from 
point-of-sale systems to authorize transactions, then forwarded the 
information in batches to a server located overseas, according to 
Hannaford. The incident at the grocery chain and a similar one reported 
two weeks later by the Okemo Mountain Resort ski area in Vermont 
indicate that cybercrooks are now targeting data that's in transit 
between systems, when it may not be encrypted or as well protected as 
stored data is.

During this morning's teleconference, which Hannaford held to provide an 
update on the measures it has been taking since the breach was 
discovered, Homa said that the security upgrades are focused on 
improving the company's "deterrence, prevention and detection" 
capabilities. Over the next 18 months or so, Hannaford plans to bring 
its security management processes into compliance with the ISO 27001 
security standard, he added.

The managed security service being provided by IBM will deliver 
real-time intrusion alerts to Hannaford and help the company identify 
threats and direct resources to counter them more quickly than it could 
before, Homa said. He noted that the new PIN pad devices with Triple DES 
support will be installed at all stores over the next few months, as 
part of a plan to ensure that cardholder data is encrypted within 
Hannaford's internal network.

Hodge described the network intrusion as one of the biggest challenges 
that Hannaford has faced in its 100-plus-year history, and "the biggest 
challenge in my tenure as CEO." He acknowledged that the breach may have 
caused concerns among Hannaford customers about the possibility of fraud 
and identity theft, and said that the company's goal is to assure 
shoppers of its commitment to securing their data going forward.

However, Hodge didn't release any new information about the breach 
itself or how it might have happened, citing an ongoing investigation of 
the incident.

Hannaford's efforts to shore up data security in the aftermath of the 
breach may help it prevent similar intrusions in future, but the company 
still may find itself having to explain why it hadn't implemented such 
measures in the first place. At least two class-action lawsuits have 
been filed against Hannaford, charging it with negligence and breach of 
promise for allowing the intrusions to happen.

If the fallout from the massive data compromise disclosed early last 
year by The TJX Companies Inc. is any indication, Hannaford could find 
itself facing claims similar to those filed against TJX by banks and 
credit unions seeking reimbursement for the cost of issuing new payment 
cards to their customers. Altogether, TJX has spent or set aside about 
$250 million thus far to cover costs related to its breach.

Hannaford has said that it was compliant with the Payment Card Industry 
Data Security Standard, or PCI, when the network intrusion took place 
between Dec. 7 of last year and March 10. The PCI standard is mandated 
by the major credit card companies to try to protect card data while 
it's on the systems of retailers and other merchants. But it remains to 
seen whether the compliance certification issued to Hannaford by an 
outside assessor will help the company defend itself against the 
class-action lawsuits and the reimbursement claims.

Subscribe to the InfoSec News RSS Feed 

Site design & layout copyright © 1986-2015 CodeGods