Paying breach bill may not buy Hannaford full data protection
The grocer is spending millions of dollars on new IT security tools. But they might not have prevented the theft of payment data from its systems.
Computerworld - Hannaford Bros. Co. said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the recent theft of up to 4.2 million credit and debit card numbers from its systems.
Some of the new measures that the grocer outlined go beyond the controls mandated by the Payment Card Industry Data Security Standard, or PCI. But it isn't clear whether they actually will address the issues that led to the data breach.
The planned upgrades include the installation of intrusion-prevention systems on Hannaford's corporate network and the systems at its stores, plus the deployment in checkout aisles of new PIN entry devices with Triple DES encryption.
Hannaford also said it has signed IBM to do around-the-clock network monitoring, and the Scarborough, Maine-based grocer vowed to encrypt all payment card data on its internal network. The goal, Hannaford CEO Ronald Hodge said during a press conference, is to put "military- and industrial-strength" security controls on the company's systems.
The level of encryption that Hannaford has in mind isn't required by the PCI rules, which specify that card data needs to be encrypted only if it's being transmitted across open public networks.
Despite the lack of more-stringent requirements, encrypting card numbers on point-of-sale devices is "the most significant action" that retailers can take to stop attacks such as the one that hit Hannaford, said Gartner Inc. analyst Avivah Litan.
But that doesn't necessarily mean that the new security measures will make Hannaford — or other companies that follow its lead — immune to future attacks.
Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill., praised some of the steps Hannaford is taking, including an earlier decision to replace all of the company's store servers. As part of the breach, malware was placed on the systems and then used to intercept the payment card numbers.
Huguelet said that the planned end-to-end encryption of card data also sounds good — on paper. But to make the data hacker-proof, he added, it would have to be encrypted from the PIN entry devices in stores to the systems of the payment-processing firm that authorizes card transactions.
And because almost no payment processors accept encrypted data at this point, Hannaford would likely need to convince the firm it works with to make system changes as well. "It's a tricky thing," Huguelet said.
Similarly, Hannaford's decision to replace all of its existing PIN entry devices puts it ahead of the curve in meeting a PCI mandate that companies must start using models with built-in support for Triple DES by July 2010.
But in most cases, the Triple DES technology encrypts only a customer's PIN, according to Huguelet. So even if Hannaford was already using such devices, it's unlikely that they would have prevented the card numbers from being compromised, he said.
Litan views Hannaford's plan to bolster its network defenses via the use of intrusion-prevention systems as another step in the right direction. But she said there are indications that the breach may have been the handiwork of a rogue insider — in which case the intrusion-prevention tools probably wouldn't have helped stop the attack.
Hannaford has said it was compliant with the PCI rules when the breach took place between Dec. 7 and March 10. But CIO Bill Homa said last week that the upgrades are aimed at strengthening the grocer's "deterrence, prevention and detection" capabilities.
The unanswered question, though, is whether that will put up a wall strong enough to keep future attackers out.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Omnichannel: From Buzzword to Strategy Customers demand a seamless experience across channels, especially mobile. Read this whitepaper for a research-based framework for using omnichannel for higher customer engagement.
- The 5 Big Lies About Going Mobile You've heard about the power of mobile to change your business. But have you realized your mobile potential? It's about much more than...
- Developing a Winning Mobile Strategy: Playing Offense vs Defense Don't lose time and money with a "throw an app against a wall to see if sticks" approach to mobile. You need a...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- Live Webcast Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing...
- Testimonial: Cystic Fibrosis Trust Peter Hawkins, the Head of IT for Cystic Fibrosis Trust, discusses the role CommVault's Simpana software platform plays in improving the company's information...
- Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing... All Management White Papers | Webcasts