The immediate annoyances of Hannaford’s recent network outage are over – customers can again order groceries to go through the company’s website and use their credit cards to buy food and medications at Maine’s largest supermarket chain.

But two weeks after Hannaford’s online systems crashed and its parent company, Ahold Delhaize USA, announced it had “recently detected a cybersecurity issue,” it’s still unclear how dangerous the problem is and whether customer or employee information has been compromised.

Ahold Delhaize USA posted a statement Nov. 8 saying it was investigating internally with cybersecurity experts and had notified law enforcement. Hannaford has repeatedly refused to say which agency is on the case.

“We continue to work with leading third-party security experts as part of this process, and have notified and are working with law enforcement on the issue,” said Hannaford spokesperson Ericka Dodge. “Because the investigation is ongoing, we are not able to disclose additional details at this time.”

Hannaford has 9,500 workers at 68 stores in Maine, and a total of 26,000 employees at 189 stores across Maine, New Hampshire, Vermont and New York.

The situation is “highly suggestive of a ransomware attack,” said Brian Ray, founder and director of the Center for Cybersecurity and Privacy Protection at Cleveland State University School of Law. “Something pretty dramatic happened because they had to take systems offline or they were already offline because of an attack,” he said.

It’s fairly common for companies to delay reporting information to the public until they know the extent of the problem – though they should act as quickly as they can, according to Ray.

FBI RESPONDS AND ADVISES

As of Friday, neither Ahold Delhaize nor Hannaford had reported a data breach to the Office of the Maine Attorney General as required.

But data breach is a specific term indicating that digital information has been compromised, Ray said, and investigators working on the Ahold Delhaize case may not have reached that conclusion yet.

Ray said the FBI is “almost certainly” the agency leading the investigation. It has a robust national system of teams that specialize in tracking and responding to international online “threat actors” and the various impacts when online systems are compromised, Ray said.

A ransomware attack is a cybercrime in which an outside actor infiltrates an online system, encrypts the victim’s data, then demands a ransom payment in exchange for a decryption key or code to regain access to the locked files.

The attacker usually gains access through phishing emails, malicious links or vulnerabilities in software.

While many institutions and companies have anti-malware software and other protocols to prevent cyberattacks, they must be updated regularly to be effective, and cybercriminals are constantly looking for chinks in system defenses.

Many companies avoid paying the ransom for two reasons: They don’t want to encourage ransom attacks, and they don’t want to break the law by potentially supporting terrorism or any other threat to U.S. security.

“The FBI has been encouraging companies for years not to pay ransoms,” Ray said. “Companies are concerned about being penalized by the Office of Foreign Assets Control for directly or indirectly providing financial support to federally sanctioned entities.”

The OFAC is an arm of the U.S. Treasury that enforces economic and trade sanctions against targeted foreign jurisdictions, regimes and other national security threats, including terrorists and international narcotics traffickers.

“Responding to a cyberattack is a very painstaking, complicated and uncertain process, especially when your system has been compromised,” Ray said. “There’s a whole spectrum of things that could happen. Sometimes companies will receive a direct ransom demand but not always.”

CYBERCRIMINALS HIDE THEIR TRACKS

Companies that are prepared will usually activate an incident response plan and call in legal and forensic specialists to help wade through the process, Ray said. But at the outset, it’s often unclear exactly how a system has been compromised, and cybercriminals are practiced at avoiding detection.

“Companies need to prevent further damage to the system and protect information from being compromised,” Ray said. “But these threat actors are getting much more sophisticated at hiding their tracks and making it difficult to figure out where they’ve been.”

That process is further complicated if the attack involves multiple entities across various systems, he said, which could be the case with Ahold Delhaize USA, a Dutch-Belgian-owned company that includes Hannaford and several other East Coast supermarket chains.

While federal and state law enforcement authorities require companies to report cyberattacks, they may delay reporting until they know what’s happening, which could take days or weeks, Ray said.

“Until you have a reasonably sure understanding of what happened, you don’t want to report it,” he said. “You don’t want information to come out in dribs and drabs and further confuse people.”

However, as soon as companies believe customer or client information has been compromised, they should announce exactly what has happened, Ray said. That should include an explanation of what steps are being taken to address the breach and what steps customers should take to protect their information.

“The challenge is knowing when you know enough without taking too long,” Ray said.

Companies may withhold information from the public because they don’t want to appear vulnerable to cybercriminals or compromise ransom negotiations, he said.

The FBI also has no interest in early public disclosures and may ask companies not to disclose information, Ray said. In some cases, the agency has agents embedded with cybercriminals and doesn’t want to compromise ongoing investigations, Ray said.

“It’s an incredibly sophisticated game, and you want to present that you’ve got everything under control,” he said.

Because Hannaford and other Ahold Delhaize USA online systems were affected in a very public way, they didn’t have the luxury of not acknowledging it, Ray said.

“It’s the responsible thing to make sure they have a handle on it and take steps to contain the impacts,” he said. “In this case, the interests of the company and the customers are aligned.”

BUILDING AND MAINTAINING TRUST

The Nov. 8 announcement from Ahold Delhaize was brief, terse even, compared to Hannaford’s usually more personable, community-oriented efforts to promote healthy, time-saving food-shopping solutions.

“We apologize for any inconvenience this issue may have caused customers and partners,” the statement said.

On Friday, the announcement was no longer posted on the company’s website.

But while the public may have become used to repeated reports about data breaches, public relations and branding experts say it’s a mistake to leave customers worried or even wondering for too long about the personal impacts.

“The worst thing a company can do is to go dark,” said Rich Brooks, president of Flyte New Media, a branding, web design and digital marketing company in Portland.

“As soon as a company stops answering questions, people are going to fill it with whatever,” Brooks added.

Companies build trust with customers over time, he said, creating a bank they can draw from when problems crop up. But it can be hard to win back that trust.

“It’s all in how you handle it,” Brooks said. “They may have very legitimate reasons why they can’t say anything, but they need to explain that and say what they’ll do when they figure it all out.”

Nancy Marshall, CEO of Marshall Communications, a Maine public relations firm that specializes in crisis management, said Hannaford is fortunate to have built a trustworthy reputation.

“I understand the public wants to know what’s going on, but it’s almost dangerous for them to speculate about what’s happening,” she said.

Still, whenever a company faces a customer-relations crisis, “my advice is always to show compassion to the victims,” Marshall said.

In this case, Hannaford customers are potential victims of a cybersecurity issue, she said.

“They need to reassure them that they are doing absolutely everything to get to the bottom of this and make sure their information is safe,” Marshall said.

