How Was Hannaford Hacked?
Those who may have initially assumed that the data breach that exposed the information of more than four million credit and debit card accounts of customers of Hannaford Bros. was due to lax security may find that it wasn’t the grocer’s fault after all.
According to Carol Eleazer, vice president of marketing for Hannaford, the company was certified last month as being compliant with the PCI Security Standards Council’s standards.
The simple fact, some experts say, is that it is not possible for any retailer to totally safeguard consumer records.
“That’s like asking if you can have a 100-percent secure home that cannot be broken into,” Avishai Wool, chief technical officer at the computer network security company AlgoSec, told The Associated Press. “I don’t think you can. If the bad guys spend enough money and have the appropriate equipment, they can go through anything.”
Slavik Markovich, chief technology officer of Sentrigo Inc., a database security company, said data breaches have reached “global epidemic” proportions.
“Overall, this type of attack, lasting several months and resulting in large-scale data theft and actual cases of fraud demonstrates once more that enterprises are being proactively targeted by organized crime. Weak links anywhere in the data chain that leave the data vulnerable to theft are exploited,” he wrote in an email to The AP.
It should be noted that while not enough detail is known at this point to fault Hannaford Bros., the internet is ripe with speculation about certain aspects of the company’s story.
A piece on Evan Schuman’s Storefront Backtalk site, for example, questions the timing of Hannaford’s PCI recertification. “As a Level 1 retailer, Hannaford is only required to undergo a PCI assessment once a year. If they were compliant in the Spring – regardless of which month it was – it seems eyebrow-raising that they would have sought another assessment so soon.”
To have completed the certification by last month, the article suggests, the process would have had to have begun around Nov. or Dec. of last year.
Hannaford has said the breach began on Dec. 7 of last year and ended on March 10.
Discussion Questions: What questions do you have based on the disclosures made by Hannaford Bros.? Are the standards needed to safeguard consumer data adapting quickly enough to keep up with the security challenge?
- Supermarket Data Breach Still Unsolved – The Associated Press/Google
- A Message From Hannaford CEO Ron Hodge – Hannaford Bros.
- What Did Hannaford Know And When Did It Know It? – Storefront Backtalk