by Samantha Murphy
Hannaford Bros. announced in mid-March that it fell victim to a security breach that has exposed more than 4 million card numbers and led to 1,800 cases of fraud. The Portland, Maine-based supermarket chain said credit- and debit-card numbers were stolen during the card-authorization process and about 4.2 million unique card numbers were exposed, placing the case among the largest data breaches in history.
The breach affected all of the company’s 165 namesake stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.
The incident reminded the industry of the fraud case surrounding TJX Cos. last year when it was reported that at least 45.7 million cards were exposed. Meanwhile, banks’ court filings put the number at more than 100 million.
With company fraud high on the radar again, security solution providers are advising retailers to revisit their prevention systems and make sure they are ready to combat hackers before they even break in. Tom Kellermann, VP of security awareness at Boston-based Core Security Technologies, spoke with Chain Store Age Web Editor/Associate Editor Samantha Murphy about what retailers should do to prevent—and prepare for—the worst.
CSA: How did this happen?
Tom Kellermann: Hannaford was probably attacked by internal computers, which were compromised by external hackers who remotely accessed these internal systems to bypass security controls. Regardless of their compliance with PCI to mitigate this risk and the implementation of encryption technology, Hannaford was breached because their internal computers were turned against them as a result of digital insider attacks. Encryption is like a turtle’s shell—if you can take over the turtle (or computer), then you can make him expose himself.
CSA: What does this mean for the company?
Kellermann: It will be very difficult for Hannaford Bros. to bounce back due to inevitable class actions by the banks and the loss of reputation. It will also take other public breaches and awareness that most organizations are regularly breached to marginalize the public relations fallout from this event.
CSA: How can breaches like this be prevented in the future?
Kellermann: Four steps could have prevented the incident. First and foremost, retailers need to perform regular penetration testing. This is when a company attacks its own networks before the hackers do. This enables companies to identify potential security risks and fix them before data breaches occur. PCI compliance is critical, but so is regular security assurance.
Second, remediation of these critical vulnerabilities should be made a priority. Third, wireless point of sales should not be widely utilized because of the weaknesses in wireless security. And finally, computers within the network should require more than a password to access the system. Smart cards or biometric credentials, which cannot be digitally stolen, should have been utilized for those systems to access and process card data.
CSA: What advice should retailers keep front of mind going forward?
Kellermann: Retailers should expect to be hit and prepare to survive. Companies should maintain an information security policy with a network topography diagram. They should also maintain training for all staff on information security. It is also necessary to conduct these ongoing penetration tests on all points of the network, with remediation of vulnerabilities. Retailers need to absolutely make this a No. 1 priority for the welfare of their company.
Source: Chain Store Age
