Hannaford Bros. Co. said this week that it intends to deploy a broad range of security technologies, including new intrusion-prevention systems and encryption to protect credit card data during a transaction.
The Scarborough, Maine-based company said it plans to bolster its systems in the wake of a data breach in which 4.2 million credit and debit card numbers were stolen from its systems. The intrusion took place between Dec. 7 and March 10.
Ron Hodge, the grocer's president and CEO, and Bill Homa, its CIO said the company's systems were compliant with the PCI Data Security Standards (PCI DSS) but the standards offer little coverage over consumer data in motion during credit card transactions processed at nearly 300 stores.
Homa said the company signed a managed security services deal with IBM to conduct 24-hour network monitoring. The goal, Homa said, is align the company's security processes with the ISO 27001 security standard.
In addition, the company is working with General Dynamics, Cisco Systems and Microsoft to upgrade and replace affected systems. New PIN pads with encryption capabilities will also be installed. In all, Hodge said the company would spend millions of dollars in the upgrade program.
Investigators are still trying to figure out how attackers placed malware on the Hannaford servers to silently sniff the data while it was in motion.
Experts say the breach serves an important lesson that it's just as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. The messaging system connecting Hannaford's complex systems could have provided the hole necessary to install malware onto the grocer's systems.