Hannaford Reveals Theft Details, Plans to Spend Millions on Military-Level Security

BREAKING NEWS: In an invitation-only conference call this morning, Hannaford Bros. CEO Ron Hodge and CIO Bill Homa reveal new facts about the recent theft of 4.7 million customer credit and debit card files from the grocer's data base. They also outline steps taken before and after the criminal intrusion, including details about future initiatives that will ensure a military-level of security and cost millions of dollars to ensure deterrence, protection and detection.

'The recent criminal intrusion was one of the biggest challenges we have ever faced in the 100-plus year history of Hannaford Bros.," said Hodge. 'We have spent significant resources in coming to understand the complexities of this crime. We have begun working with General Dynamics, IBM and Cisco to ensure a military-level of security. And we also want to apologize to our customers for intrusion. We will take bold steps to prevent future intrusions and want to thank customers for their loyalty and support in the past few weeks. We intend to do whatever it takes to be a leader in security and to protect customer data."

CIO Bill Homa, a recognized leader in retail technology and member of the RIS Editorial Advisory Board, revealed that the intrusion was contained in March and 'no personal customer information was compromised. It was limited to debit and credit card numbers and expiration dates, and it did not include PIN numbers. We do not keep identifiable customer information."

Both Hodge and Homa emphasized they could not fully address the scope of the intrusion due to ongoing criminal and forensic investigations. Their emphasis was on conveying an overview of security efforts and an understanding of future plans.

'We were an early adopter of the PCI standard system and certified as being compliant in February 2007 and February 2008," said Homa. 'In fact, we are committed to exceeding PCI compliance standards and are not limiting ourselves to just meeting them. IT security is a continual process."

Hannaford will focus on three main areas in its future security plan: deterrence, protection and detection. To accomplish these goals, Hannaford has implemented a 24/7 hosted intrusion protection system with IBM to help manage the complex task of separating false positives from real threats. 'We don't have enough eyes and hands to investigate all the false-positive intrusions we detect and so have begun working with IBM to help us and report back to us the ones that are real threats," said Homa.

Other areas where Hannaford is devoting IT resources include: highest possible level of PIN encryption, highest possible protection against malware being installed on systems and a host-intrusion prevention system to be installed on the POS controller.

In some cases, reports Homa, retailers have to wait until hardware and software vendors release next-generation products that comply with updated security standards. As soon as these new products are available, Hannaford will install them, even though 'we may be replacing perfectly good scanner guns, for example, with new guns that are more secure."

According to Homa, 'the cost for replacing hardware will run into the millions of dollars and the cost for host-intrusion protection will be $5,000 per store."

With 165 stores in the Hannaford chain, the cost for adding new software alone will be nearly a million dollars. Adding upgraded hardware will double that figure. And then there are the costs associated with restructuring business processes, adding internal controls and hiring external auditors to certify compliance. Multiply this figure by the rest of the retail industry and it is easy to project a cost in the billions of dollars to deal with the plague of criminal intrusions.

-Joe Skorupa

See related story:
PCI May Never Stop Hackers: Time to Rethink Security