Wednesday, April 16, 2014
Hannaford Bros. has beefed up computer security since a data breach exposed 4.2 million customer credit and debit card numbers to potential fraud, and plans other changes to make the system even stronger, executives said Tuesday.
The cost of the upgrades will be in the ''millions of dollars,'' Senior Vice President and Chief Information Officer Bill Homa said during a teleconference to publicize steps the company has taken.
Homa said Hannaford will be encrypting customer credit card and debit card numbers from the personal identification number pad through the internal network. Doing that means the company will have to replace all the PIN pads at all the stores, a process that will take two to three months.
Security analysts say that the plan to disguise card numbers from the time customers swipe their cards until the data leaves the grocery's network will offer real protection against future fraud attempts. But the change can complicate the processing of data.
Avivah Litan, vice president and research director at Gartner Inc., said most card-payment processing companies don't take encrypted data, relying instead on private communications lines for security. So the data will likely have to be de-encrypted after it exits Hannaford's network, she said.
Hannaford President and CEO Ron Hodge opened Tuesday's session by saying the data breach has been ''one of the biggest challenges for the company in its 100-year-plus history.'' The company, he said, is working with General Dynamics, IBM, Cisco and Microsoft to implement ''military- and industrial-strength protections.''
Officials said Hannaford also has installed a security monitoring and detection service from IBM to provide real-time information on potential intrusions.
''One of the learnings of the breach is we don't have enough eyes and hands to watch all of the false positive intrusions that happen in a vast network -- you have millions and millions of people pinging your IP address,'' said Homa.
''We decided to turn that over to IBM because they have the tools and resources to watch for false positive intrusions and report back to us if we need to investigate.''
The company is also choosing a vendor to provide systems that watch the company's computer network and send alerts when it's under attack.
Monitoring systems are fairly standard among companies these days, said Litan, of Gartner.
Though the company's moves make sense, they come a little too late, said Chris Soghoian, a computer security researcher at Indiana University.
''We see this reactive security. What we're not seeing is nudging companies to do things before the fact,'' Soghoian said. ''Companies don't really think it's worth their while to pay this money ahead of time until they suffer a breach, and then it costs them millions of dollars.''
Lawmakers, he said, should offer some incentives for companies to encrypt data. Members of Maine's congressional delegation have said they would review laws addressing both data protection and notification of consumers after a breach.
Meanwhile, Hodge said Hannaford hasn't seen a drop in business since the breach.
''Our sales have remained within our expectations over these past five or six weeks,'' he said. ''Quite frankly, we're very appreciative of the support we've gotten from our loyal customers.''
Company officials said they couldn't comment on details emerging from the forensic and criminal investigations. Secret Service spokesman Malcolm Wiley said his agency is still investigating the incident, and wouldn't comment .
Attorneys have filed at least seven lawsuits in U.S. District Court in Portland, and plaintiffs' lawyers hope to incorporate the suits into a class-action case.
Hannaford learned Feb. 27 that data thieves had attacked its security system. First Data, which handles transactions for Discover and American Express, telephoned to say that an unusual number of credit cards were showing fraudulent charges. All the cards had been previously used at Hannaford or grocery chains affiliated with the Scarborough-based chain, such as Sweetbay stores in Florida.
When the company announced the breach March 17, officials said they were aware that 1,800 cards had experienced fraudulent charges, a fraction of the 4.2 million cards exposed. The company received that tally from credit card companies, but Hodge said that they have not obtained an updated number.
Each financial institution or credit card company tracks its own fraud and isn't required to report those numbers to any public agency, so it is unclear how many of the at-risk card numbers were actually stolen.
Staff Writer Matt Wickenheiser can be contacted at 791-6316 or at: