Paying breach bill may not buy Hannaford full data protection

Computerworld - Hannaford Bros. Co. said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the recent theft of up to 4.2 million credit and debit card numbers from its systems.

Some of the new measures that the grocer outlined go beyond the controls mandated by the Payment Card Industry Data Security Standard, or PCI. But it isn't clear whether they actually will address the issues that led to the data breach.

The planned upgrades include the installation of intrusion-prevention systems on Hannaford's corporate network and the systems at its stores, plus the deployment in checkout aisles of new PIN entry devices with Triple DES encryption.

Hannaford also said it has signed IBM to do around-the-clock network monitoring, and the Scarborough, Maine-based grocer vowed to encrypt all payment card data on its internal network. The goal, Hannaford CEO Ronald Hodge said during a press conference, is to put "military- and industrial-strength" security controls on the company's systems.

The level of encryption that Hannaford has in mind isn't required by the PCI rules, which specify that card data needs to be encrypted only if it's being transmitted across open public networks.

Despite the lack of more-stringent requirements, encrypting card numbers on point-of-sale devices is "the most significant action" that retailers can take to stop attacks such as the one that hit Hannaford, said Gartner Inc. analyst Avivah Litan.

But that doesn't necessarily mean that the new security measures will make Hannaford — or other companies that follow its lead — immune to future attacks.

Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill., praised some of the steps Hannaford is taking, including an earlier decision to replace all of the company's store servers. As part of the breach, malware was placed on the systems and then used to intercept the payment card numbers.

Huguelet said that the planned end-to-end encryption of card data also sounds good — on paper. But to make the data hacker-proof, he added, it would have to be encrypted from the PIN entry devices in stores to the systems of the payment-processing firm that authorizes card transactions.

And because almost no payment processors accept encrypted data at this point, Hannaford would likely need to convince the firm it works with to make system changes as well. "It's a tricky thing," Huguelet said.

Similarly, Hannaford's decision to replace all of its existing PIN entry devices puts it ahead of the curve in meeting a PCI mandate that companies must start using models with built-in support for Triple DES by July 2010.

But in most cases, the Triple DES technology encrypts only a customer's PIN, according to Huguelet. So even if Hannaford was already using such devices, it's unlikely that they would have prevented the card numbers from being compromised, he said.

Litan views Hannaford's plan to bolster its network defenses via the use of intrusion-prevention systems as another step in the right direction. But she said there are indications that the breach may have been the handiwork of a rogue insider — in which case the intrusion-prevention tools probably wouldn't have helped stop the attack.

Hannaford has said it was compliant with the PCI rules when the breach took place between Dec. 7 and March 10. But CIO Bill Homa said last week that the upgrades are aimed at strengthening the grocer's "deterrence, prevention and detection" capabilities.

The unanswered question, though, is whether that will put up a wall strong enough to keep future attackers out.

Read more about security in Computerworld's Security Knowledge Center.