Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Paying breach bill may not buy Hannaford full data protection

The grocer is spending millions of dollars on new IT security tools. But they might not have prevented the theft of payment data from its systems.

By Jaikumar Vijayan
Comments
7
Recommended
171

Active Comments

Danny Lieberman says: I'm seeing headlines like - "Millions of dollars on IT security upgrades" and PCI consultants praising replacement of all the...
Read the rest | Reply
Michael Cherry says: I think everyone who wants to avoid a future lawsuit should follow Hannaford’s lead and encrypt their customer’s credit card...
Read the rest | Reply
All Comments (7) | Post New


Zone

Featured Zone
The Security Zone

With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical...

Learn more in The Security Zone
See All Zones

April 28, 2008 (Computerworld) Hannaford Bros. Co. said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the recent theft of up to 4.2 million credit and debit card numbers from its systems.

Some of the new measures that the grocer outlined go beyond the controls mandated by the Payment Card Industry Data Security Standard, or PCI. But it isn't clear whether they actually will address the issues that led to the data breach.

The planned upgrades include the installation of intrusion-prevention systems on Hannaford's corporate network and the systems at its stores, plus the deployment in checkout aisles of new PIN entry devices with Triple DES encryption.

Hannaford also said it has signed IBM to do around-the-clock network monitoring, and the Scarborough, Maine-based grocer vowed to encrypt all payment card data on its internal network. The goal, Hannaford CEO Ronald Hodge said during a press conference, is to put "military- and industrial-strength" security controls on the company's systems.

The level of encryption that Hannaford has in mind isn't required by the PCI rules, which specify that card data needs to be encrypted only if it's being transmitted across open public networks.

Despite the lack of more-stringent requirements, encrypting card numbers on point-of-sale devices is "the most significant action" that retailers can take to stop attacks such as the one that hit Hannaford, said Gartner Inc. analyst Avivah Litan.

But that doesn't necessarily mean that the new security measures will make Hannaford — or other companies that follow its lead — immune to future attacks.

Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill., praised some of the steps Hannaford is taking, including an earlier decision to replace all of the company's store servers. As part of the breach, malware was placed on the systems and then used to intercept the payment card numbers.

Huguelet said that the planned end-to-end encryption of card data also sounds good — on paper. But to make the data hacker-proof, he added, it would have to be encrypted from the PIN entry devices in stores to the systems of the payment-processing firm that authorizes card transactions.

And because almost no payment processors accept encrypted data at this point, Hannaford would likely need to convince the firm it works with to make system changes as well. "It's a tricky thing," Huguelet said.

Similarly, Hannaford's decision to replace all of its existing PIN entry devices puts it ahead of the curve in meeting a PCI mandate that companies must start using models with built-in support for Triple DES by July 2010.

But in most cases, the Triple DES technology encrypts only a customer's PIN, according to Huguelet. So even if Hannaford was already using such devices, it's unlikely that they would have prevented the card numbers from being compromised, he said.



Make a Comment Recommend Story Slashdot this Digg this
Print Story Send Feedback Email this Reprints

Related Content

Webcast: Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management
Whitepaper: Guide: Implementing UTM at Branch

CW Report: An Apple for Your Enterprise?
Nokia heralds N97 as most powerful mobile phone yet
Too good to ignore: 6 alternative browsers
7 ways to cut your software costs during the economic downturn
Major e-stores malfunction on Black Friday and Cyber Monday
MIT researchers boost the power of solar energy

Today's Top Stories

New Windows worm builds massive botnet
Windows market share dives below 90% for first time
7 ways to cut your software costs during the economic downturn
Major e-stores malfunction on Black Friday and Cyber Monday
How spyware nearly sent a teacher to prison
Glory days: How high school shaped nine IT leaders

What People Are Saying

See comments | Add new
See comments | Add new

Resource Alerts

to receive Security Resource Alerts

Webcasts

The Secure Web Gateway. Mission Critical For Business

Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare

Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management

Whitepapers

IronPort Encryption Technology: Safeguarding Business Email

Juniper Networks SSL VPN and Oracle Identity Federation Implementation Guide

Guide: Implementing UTM at Branch

Computerworld Reports

Compterworld Technology Briefing: Intelligent Users Use Business Intelligence

Computerworld Report- Large Enterprises Pay More for IPAM

An Apple for Your Enterprise?

Editor's Picks

New Windows worm builds massive botnet

Windows market share dives below 90% for first time

7 ways to cut your software costs during the economic downturn

Major e-stores malfunction on Black Friday and Cyber Monday

How spyware nearly sent a teacher to prison

Glory days: How high school shaped nine IT leaders

Shark Bait
View Shark BaitFired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.

New baits
Shark Bait
Webcast

Turning information into a Competitive Advantage "Turning information into a Competitive Advantage"

Companies today are realizing that competitive advantage is harder to sustain when based solely on gains in productivity and cost efficiency. The focus is shifting to invest more in business optimization initiatives which rely on trusted information to develop new insights that deliver better business results. But how can this be done efficiently in a business environment across multiple applications and processes. The answer is an Information Agenda - an innovative approach to transforming business information into a strategic asset for competitive advantage.

View this webcast now! more

See more Webcasts more
TODAY'S TOP BLOG
Patrick Thibodeau:
Satellite images of U.S military bases Which is more important? Helping terrorists or protecting military bases? Answer: protecting Web 2.0 ... [more]
 


Webcast: The Automation of IT Compliance Programs: Reducing Risk, Cost and Complexity of Corporate Compliance
To meet the growing number of industry and federal regulations, businesses spend significant time, effort, and budget determining how to best meet continuously evolving IT compliance requirements this new Forrester Research and Juniper Networks Webcast led by industry experts who examine global IT security and compliance trends, common IT compliance issues and challenges, and best practices for successful IT compliance programs.

View this webcast 
Whitepaper: Tackling the Top Five Network Access Control Challenges
The major challenge enterprises face today is how to create innovative business models and to increase productivity by opening the network to a dynamic workforce, while at the same time protecting critical assets from the vulnerabilities that openness and user mobility bring. In addition, to comply with industry and governmental regulations, enterprises must prove that they have stringent controls in place to restrict access to sensitive data. This paper describes the top five networking access control challenges that companies like yours are facing and solutions that they are deploying today.

Download this white paper 
Whitepaper: Addressing PCI Compliance with a Comprehensive Network Access Control Solution
The Payment Card Industry (PCI) is one of the most comprehensive data security standards in a cluster of regulations that have emerged over the past decade. Meeting its requirements is both complicated and expensive for many companies. Learn how a comprehensive access control solution allows retailers and consumer organizations adhere to the core tenets of PCI, and delivering the necessary information and reports needed for compliance audits.
Download this white paper 
Whitepaper: Control System Cyber Vulnerabilities and Mitigation of Risk for Utilities
Today's global industrial infrastructure includes thousands of electric utilities, water/wastewater management companies, oil and gas suppliers, chemical manufacturers and other facilities critical to daily functioning. Learn why relying on off-the-shelf operating systems and Internet-based remote access control to carry out production tasks, traditional control networks can leave today's global industrial infrastructures vulnerable to hackers, extortionists, worms, viruses and application-level attacks. Deploying network-based security can protect these at-risk systems–without requiring infrastructure replacement.
Download this white paper 
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.