Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI

Written by Evan Schuman
April 25th, 2008

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption ("customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network"), host and network intrusion prevention systems ("to proactively prevent malware from being installed in our systems") and better payment segmentation.

He also—inexplicably—used the news conference to announce that Hannaford was "the first retailer in Maine" to have a Cisco Certified Internetwork Expert (CCIE) on the payroll. Wonder if they’ll call another news conference if that employee leaves?

The intrusion tracking system is something Hannaford has turned over to IBM, and Homa detailed what his concerns were. "One of the learnings of the breach is that we don’t have enough eyes and hands to watch all the false positive intrusions that happen in a vast network. You have millions and millions of people pinging your IP address," he said. "So we decided to turn that over to IBM and (have them) report back to us when we have something to investigate."

Beyond IBM, Homa said vendors that his team is working with on the security upgrades include General Dynamics, Cisco and Microsoft. He also confirmed that their PCI assessor is Verizon Business Services (formerly Cybertrust), which was also the initial assessor of TJX.

The encryption upgrades at POS will take another two to three months to complete, Homa said. "In many cases, we’re replacing equipment that is perfectly good except that it’s been obsoleted by the requirement for additional security," he said.

The host intrusion prevention system (HIPS) has not yet been awarded ("we’re in the middle of picking a software vendor") so "it will probably be the end of the year before we have that fully implemented in all of our stores."

They are also implementing ISO 27001 processing that Homa estimated would take "a year to 18 months before it’s fully implemented."

He wouldn’t specify the estimated cost beyond the millions but "not tens of millions" comment, other than to say that HIPS could cost "as much as $5,000 per store, so it starts to add up."

Other new details that cropped up during the call or shortly before:

  • Adding more anecdotal evidence that consumers don’t really care about security violations. Hannaford CEO Ron Hodge told reporters that the breach did not impact sales at all. "There has not been a drop in sales," Hodge said.
  • The number of reported fraudulent acts associated with the Hannaford breach is still at 1,800. Why? No new information is being given to Hannaford, Hodge said. "We have not heard back from the credit card companies since the early days when it got to 1,800," he said.
  • Early reports had said that Hannaford replaced all of its servers. In fact, software alone was updated. The hardware remained.
  • In the first days after the breach was reported, the chief spokesperson for the breach, Hannaford marketing chief Carol Eleazer, told reporters that Hannaford had been certified PCI compliant in the Spring of 2007 and then again in February 2008. She has now modified that to indicate that both assessments were done in February (one in 2007 and one in 2008.)
  • Another Hannaford spokesperson had said in an interview that the customers’ CVV numbers were also taken. Eleazer this week clarified that remark to mean that the magstripe data alone was taken, not the 3- or 4-digit non-embossed numbers on the back of Visa cards and MasterCards and on the front of American Express cards.
    Even though many E-commerce sites ask for the CVV, they are really asking for the CVV-2 if it’s a Visa card, the CID for American Express and the CVC2 for MasterCard. No matter. The magic number that E-tailers ask for—no matter what it’s called—wasn’t taken, Eleazer said this week.

  • advertisement

    4 Comments | Read Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI

    1. David Taylor Says:

      Excellent article. More details than I’ve seen anywhere else on Hannaford.

    2. Robert Says:

      Talk about jumping off the deep end. While I applaud Mr. Homa’s reaction to what is, clearly, a major security breach, I don’t see why he is installing “military” grade security. His answer is to simply “remove” the sensitive payment card data from his system. If you eliminate the data, you eliminate the risk. Replace the data with something that still offers his stores with valuable information, but is not “actual” card data. There are a couple companies out there that offer data replacement technology. My guess is that they are significantly less expensive and more secure than the thickest walls Mr. Homa can build around his data. If I were on Mr. Homa’s Board of Directors, I would be upset to learn that there was a better solution available – for far less money.

    3. Asa Holmstrom Says:

      Very informative article. One item that stood out was that Hannaford is “replacing equipment that is perfectly good” because they lack the security requirements.
      This is a problem faced by many retailers. They believe, or have been led to believe, that they need to replace existing equipment with very expensive new equipment to gain security requirements. Not only is this not true but it comes with a high price tag and also requires retraining staff and managing compatibility issues, as well as other issues.
      It is possible to keep perfectly good equipment in place and add security software for a fraction of the cost.
      Hopefully, retailers will begin to realize this and not feel they are required to replace existing, perfectly good equipment.

    4. Josh Says:

      This is a classic example of a client in denial, someone refusing to look and consider the facts. They were just simply trying to get by with the minimum effort.

      Too bad for their employees, the pig-headedness of the IT management will continue to cost them millions upon millions.

      Shame on this company.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.