Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption ("customer card information is now encrypted from the PINpad at the store register and remains encrypted while it's in our own internal network"), host and network intrusion prevention systems ("to proactively prevent malware from being installed in our systems") and better payment segmentation.

He also—inexplicably—used the news conference to announce that Hannaford was "the first retailer in Maine" to have a Cisco Certified Internetwork Expert (CCIE) on the payroll. Wonder if they'll call another news conference if that employee leaves?

The intrusion tracking system is something Hannaford has turned over to IBM, and Homa detailed what his concerns were. "One of the learnings of the breach is that we don't have enough eyes and hands to watch all the false positive intrusions that happen in a vast network. You have millions and millions of people pinging your IP address," he said. "So we decided to turn that over to IBM and (have them) report back to us when we have something to investigate."

Beyond IBM, Homa said vendors that his team is working with on the security upgrades include General Dynamics, Cisco and Microsoft. He also confirmed that their PCI assessor is Verizon Business Services (formerly Cybertrust), which was also the initial assessor of TJX.

The encryption upgrades at POS will take another two to three months to complete, Homa said. "In many cases, we're replacing equipment that is perfectly good except that it's been obsoleted by the requirement for additional security," he said.

The host intrusion prevention system (HIPS) has not yet been awarded ("we're in the middle of picking a software vendor") so "it will probably be the end of the year before we have that fully implemented in all of our stores."

They are also implementing ISO 27001 processing that Homa estimated would take "a year to 18 months before it's fully implemented."

He wouldn't specify the estimated cost beyond the millions but "not tens of millions" comment, other than to say that HIPS could cost "as much as $5,000 per store, so it starts to add up."

Other new details that cropped up during the call or shortly before:
  • Adding more anecdotal evidence that consumers don't really care about security violations. Hannaford CEO Ron Hodge told reporters that the breach did not impact sales at all. "There has not been a drop in sales," Hodge said.
  • The number of reported fraudulent acts associated with the Hannaford breach is still at 1,800. Why? No new information is being given to Hannaford, Hodge said. "We have not heard back from the credit card companies since the early days when it got to 1,800," he said.
  • Early reports had said that Hannaford replaced all of its servers. In fact, software alone was updated. The hardware remained.
  • In the first days after the breach was reported, the chief spokesperson for the breach, Hannaford marketing chief Carol Eleazer, told reporters that Hannaford had been certified PCI compliant in the Spring of 2007 and then again in February 2008. She has now modified that to indicate that both assessments were done in February (one in 2007 and one in 2008.)
  • Another Hannaford spokesperson had said in an interview that the customers' CVV numbers were also taken. Eleazer this week clarified that remark to mean that the magstripe data alone was taken, not the 3- or 4-digit non-embossed numbers on the back of Visa cards and MasterCards and on the front of American Express cards.
    Even though many E-commerce sites ask for the CVV, they are really asking for the CVV-2 if it's a Visa card, the CID for American Express and the CVC2 for MasterCard. No matter. The magic number that E-tailers ask for—no matter what it's called—wasn't taken, Eleazer said this week.