business news in context, analysis with attitude

Hannaford Bros. yesterday offered an update on the investigation into the security breach that potentially compromised the account numbers and expiration dates on as many as 4.2 million credit and debit card numbers used at its stores between Dec. 7 and March 10, and that was caused by a new and highly sophisticated scheme that secretly installed software on every one of Hannaford’s stores.

According to a statement released by the company, "Hannaford continues to work to ensure we have effective network security capabilities in place to provide our customers with a secure shopping environment. Hannaford has taken a number of steps to enhance its network security since the intrusion, including partnering with General Dynamics Advanced Information Systems, IBM, Cisco and Microsoft, to apply military- and industrial-strength network security to a retail environment."

These steps include:

• Installation of a 24/7-managed security monitoring and detection service from IBM to
provide real-time alerts about any intrusive traffic.

• Encryption of customer card information from the store register, which then remains encrypted while it is in Hannaford's network.

In addition, the company said, it "is committed to achieving an even higher level of information security to ensure the integrity and confidentiality of its customer, associate and vendor information and will employ additional network security resources in the coming months. To meet this objective, Hannaford will apply a sustainable management process to identify threats to data security in advance and direct the implementation of appropriate policies and controls to counter these threats. Some of these measures include:

• Implementing Triple DES PIN encryption, the highest possible level of PIN encryption available;

• Installing Host and Network Intrusion Prevention Systems to proactively prevent malware from being installed on our systems;

• Introducing the most up-to-date firewalls and intrusion detection at the store-level and
corporate headquarters to strengthen the segmentation of payment information;

• Launching an ISO 27001 Information Security Management System, which is considered to be a true gold standard approach to holistic information security.

KC's View:
This stuff is so far above my pay grade that it isn't even funny...I probably should know what the hell " Triple DES PIN encryption" means, but I don't, and I;m not even going to try to fake it.

But it sure sound simpressive. I particularly like the part about "military- and industrial-strength network would make me feel better about shopping at a Hannaford store.

Here's what would appear to be the good news. Hannaford CEO Ron Hodge tells the Boston Globe that customers haven't stopped shopping at Hannaford, and that "sales have remained within our expectations over the past five or six weeks … We are very encouraged by that."

If you have the trust of your customers, you can survive even nightmares like these.

The bad news? "The latest threat wasn't anticipated," Hannaford CIO Bill Homa tells the Boston Globe. "The bad guys are one step ahead." And Homa suggested that other retailers probably are vulnerable to similar attacks.