Scarborough, Maine-based Hannaford Bros. in a Boston Globe report Friday confirmed that malware that had been installed on the 271-store chain’s servers led to a data breach that compromised as many as 4.2 million debit and credit card accounts.
Hannaford told Massachusetts regulators that it found the malware but it didn’t know how it got into the system, the Globe reported. Nearly 2,000 cases of fraud have been traced to the breach.
Hannaford did not return a telephone request for additional comment.
What Went Wrong?
There isn’t a good explanation of what went wrong, Jim Dempsey, vice president for public policy for the Washington-based Center for Democracy and Technology, told the E-Commerce Times.
Hannaford isn’t necessarily to blame, he noted. “The first principle is there’s no such thing as perfect security. The second is that everybody who handles this information has to have a program of layered security.”
In a letter to customers, Ronald Hodge, Hannaford’s president and chief executive officer, said the company was compliant with the Payment Card Industry Standard, a 12-point stack of rules that the PCI Security Standards Council put in place in 2006.
If that’s so, perhaps it’s time for the standards to be updated, Dempsey commented, adding that the fact that Hannaford was compliant with the PCI rules is “disconcerting.” The standard, which was widely praised as a much-needed improvement in data security when it was implemented, “proved not to be enough” in this case.
“This is not only a problem that Hannaford has to address but Visa and MasterCard have to get into this and figure out what went wrong and what can be done to improve the standards,” Dempsey commented.
‘Stay on Your Toes’
The breach occurred between Dec. 7, 2007, and March 10, 2008, Hannaford said, adding that the data was stolen as shoppers were swiping their cards in checkout line units.
All company stores in Maine, Massachusetts, New Hampshire, Vermont and New York and some in Florida had the malware, the company noted.
A class action lawsuit already has been filed in connection with the breach. More seem certain to follow, said Ilan Barzila, attorney with Wolf, Greenfield & Sacks, a Boston-based law firm.
“I’m not familiar with [the breach at] Hannaford in detail, but I do know you need to stay on your toes and do whatever any reasonable business needs to do” to prevent a security breach, he told the E-Commerce Times.
Defining reasonable security measures is another component in the issue, Barzila continued. “You can take certain measures that you think are reasonable and let the system run for a couple of years. You may not update or audit it, and a breach happens, and the court is analyzing whether reasonable means were taken to keep security updated. A lot can change in security.”
Fending Off the Bad Guys
It can change in a hurry, Dempsey noted. “There is clearly an arms race under way between those who collect and use personally identifiable information and the bad guys who would seek to steal it.”
All security procedures and programs must be open to rigorous — and regular — review, he said.
“This certainly illustrates that, and I can’t blame the credit card industry,” Dempsey added. “I think they did the right thing. They developed a set of standards that seemed appropriate at the time and did serve undeniably to raise the bar. Now, though, as part of the normal security cycle — and you need to think of it as a cycle — the credit card companies, the issuing banks and the merchants need to reassess [and] basically issue a revised and strengthened standard.”
Jim: Legally speaking, we can’t expect the PCI to keep up with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html –Ben