Executives at Hannaford Bros. Co. said today that the grocer expects to spend "millions" of dollars on IT security upgrades in the wake of the recent network intrusion that resulted in the theft of up to 4.2 million credit and debit card numbers from its systems.
The planned upgrades include the installation of new intrusion-prevention systems that will monitor activities on Hannaford's network and the individual systems at its stores, plus the deployment of PIN pad devices featuring Triple DES encryption support in store checkout aisles.
Hannaford also has signed on IBM to do around-the-clock network monitoring under a managed security services deal, according to Ron Hodge, the grocer's president and CEO, and Bill Homa, its CIO. In addition, the Scarborough, Maine-based company had said previously that it had replaced all of the servers in its stores as part of an effort to rid its network of malware that was placed on them during the intrusion.
Hodge said during a press conference this morning that Hannaford is working with IBM, General Dynamics Corp., Cisco Systems Inc. and Microsoft Corp. on the upgrade program, which is aimed at putting "military- and industrial-strength" security controls in place. The total price tag for the security upgrades will be "a big number," he added, although the exact cost has yet to be determined. "It's going to be millions, but not tens of millions," Hodge said.
The only specific cost that he broke out was about $5,000 per store for the host-based intrusion-prevention tools that will be installed on local systems. Hannaford said previously that the data breach involved payment card transactions processed at nearly 300 stores — all of its 165 supermarkets in New England and New York, plus 106 stores operated under the Sweetbay name in Florida and 23 independently owned markets that sell Hannaford products. If the intrusion-prevention technology is deployed at each of those locations, the tab for that part of the upgrade program alone would amount to $1.5 million.
Hannaford disclosed on March 17 that unknown intruders had broken into its computer network and stolen the credit and debit card numbers as well as their expiration dates. In a letter sent to Massachusetts officials eight days later, the company said that the perpetrators had planted malware on the servers at each of the 294 affected stores.
The malware intercepted the card data as it was being transmitted from point-of-sale systems to authorize transactions, then forwarded the information in batches to a server located overseas, according to Hannaford. The incident at the grocery chain and a similar one reported two weeks later by the Okemo Mountain Resort ski area in Vermont indicate that cybercrooks are now targeting data that's in transit between systems, when it may not be encrypted or as well protected as stored data is.
During this morning's teleconference, which Hannaford held to provide an update on the measures it has been taking since the breach was discovered, Homa said that the security upgrades are focused on improving the company's "deterrence, prevention and detection" capabilities. Over the next 18 months or so, Hannaford plans to bring its security management processes into compliance with the ISO 27001 security standard, he added.
The managed security service being provided by IBM will deliver real-time intrusion alerts to Hannaford and help the company identify threats and direct resources to counter them more quickly than it could before, Homa said. He noted that the new PIN pad devices with Triple DES support will be installed at all stores over the next few months, as part of a plan to ensure that cardholder data is encrypted within Hannaford's internal network.
Hodge described the network intrusion as one of the biggest challenges that Hannaford has faced in its 100-plus-year history, and "the biggest challenge in my tenure as CEO." He acknowledged that the breach may have caused concerns among Hannaford customers about the possibility of fraud and identity theft, and said that the company's goal is to assure shoppers of its commitment to securing their data going forward.
However, Hodge didn't release any new information about the breach itself or how it might have happened, citing an ongoing investigation of the incident.
Hannaford's efforts to shore up data security in the aftermath of the breach may help it prevent similar intrusions in future, but the company still may find itself having to explain why it hadn't implemented such measures in the first place. At least two class-action lawsuits have been filed against Hannaford, charging it with negligence and breach of promise for allowing the intrusions to happen.
If the fallout from the massive data compromise disclosed early last year by The TJX Companies Inc. is any indication, Hannaford could find itself facing claims similar to those filed against TJX by banks and credit unions seeking reimbursement for the cost of issuing new payment cards to their customers. Altogether, TJX has spent or set aside about $250 million thus far to cover costs related to its breach.
Hannaford has said that it was compliant with the Payment Card Industry Data Security Standard, or PCI, when the network intrusion took place between Dec. 7 of last year and March 10. The PCI standard is mandated by the major credit card companies to try to protect card data while it's on the systems of retailers and other merchants. But it remains to seen whether the compliance certification issued to Hannaford by an outside assessor will help the company defend itself against the class-action lawsuits and the reimbursement claims.