Hannaford to spend 'millions' on IT security upgrades after breach
CEO and CIO say grocer will encrypt payment card data, add new monitoring capabilities
Computerworld - Executives at Hannaford Bros. Co. said today that the grocer expects to spend "millions" of dollars on IT security upgrades in the wake of the recent network intrusion that resulted in the theft of up to 4.2 million credit and debit card numbers from its systems.
The planned upgrades include the installation of new intrusion-prevention systems that will monitor activities on Hannaford's network and the individual systems at its stores, plus the deployment of PIN pad devices featuring Triple DES encryption support in store checkout aisles.
Hannaford also has signed on IBM to do around-the-clock network monitoring under a managed security services deal, according to Ron Hodge, the grocer's president and CEO, and Bill Homa, its CIO. In addition, the Scarborough, Maine-based company had said previously that it had replaced all of the servers in its stores as part of an effort to rid its network of malware that was placed on them during the intrusion.
Hodge said during a press conference this morning that Hannaford is working with IBM, General Dynamics Corp., Cisco Systems Inc. and Microsoft Corp. on the upgrade program, which is aimed at putting "military- and industrial-strength" security controls in place. The total price tag for the security upgrades will be "a big number," he added, although the exact cost has yet to be determined. "It's going to be millions, but not tens of millions," Hodge said.
The only specific cost that he broke out was about $5,000 per store for the host-based intrusion-prevention tools that will be installed on local systems. Hannaford said previously that the data breach involved payment card transactions processed at nearly 300 stores — all of its 165 supermarkets in New England and New York, plus 106 stores operated under the Sweetbay name in Florida and 23 independently owned markets that sell Hannaford products. If the intrusion-prevention technology is deployed at each of those locations, the tab for that part of the upgrade program alone would amount to $1.5 million.
Hannaford disclosed on March 17 that unknown intruders had broken into its computer network and stolen the credit and debit card numbers as well as their expiration dates. In a letter sent to Massachusetts officials eight days later, the company said that the perpetrators had planted malware on the servers at each of the 294 affected stores.
The malware intercepted the card data as it was being transmitted from point-of-sale systems to authorize transactions, then forwarded the information in batches to a server located overseas, according to Hannaford. The incident at the grocery chain and a similar one reported two weeks later by the Okemo Mountain Resort ski area in Vermont indicate that cybercrooks are now targeting data that's in transit between systems, when it may not be encrypted or as well protected as stored data is.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts