News Stay informed about the latest enterprise technology news and product updates.

The data breach that hit home

Bill BrennerCovering the security breach at Hannaford Bros. Supermarkets this week was a particularly interesting experience for me. Unlike the other breaches I’ve written about, this one really hit me where I live.

Of course, the bank did send me a new debit card after my old one was compromised in the TJX data breach, but that’s only because of one purchase I made there during the period when the data raids were in progress.

I shop at Hannaford’s every week. Even though there are several supermarkets closer to home, I’ve been making the longer trek to the store in Hampstead, N.H., because I found the prices and food quality better than the others. Despite, the breach, I won’t stop shopping there. My bank was quick to issue me a new card and I think the retailer will do what’s necessary to prevent a repeat. Of course, the company will lose a lot of money to fines and lawsuits in the meantime. Security Blog Log

Of course, after any data breach it’s important to explore how it happened and what the affected company could have done better from the outset, and Hannaford’s is no exception.

I found plenty of security bloggers doing just that. Here’s some wisdom from two blogs high on my favorites list:

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over many locations, a compromise of the central authorizations system or the credit card processor is the likely source. “It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application,” he said. “My money is 70% on sniffing, 30% on something in the database.”

Of Hannaford’s claim that no personal data such as names, addresses or telephone numbers were divulged — just account numbers, Mogull wrote, “This can’t be true. Without names, the card numbers are unusable.”

Mogull also used Hannaford’s PCI DSS compliance as an example of how he believes “PCI is worthless” if the chain was allowed to be ruled compliant in the first place.

“The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain,” he wrote. “Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part. How to prevent this? We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.”

Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach.

“Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses,” he noted. “This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have every purchase of every embarrassing purchase you’ve ever made.”

The downside to this lack of association between card numbers and cardholder names, he wrote, is that they have no way of knowing who should be contacted in the breach. He said he’s not sure if that will absolve Hannaford’s of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either, he said.

Good points from both. I’ll end by saying that the big reason Hannaford’s won’t lose me as a customer is because I see them as more of a victim than a villain.

Through my own reporting on PCI DSS compliance I know the company had made investments to bolster the security of its point-of-sale machinery and wireless set-up.

Some are making much of the fact that this breach happened even though Hannaford’s was PCI compliant. Surely, they say, this speaks to the weaknesses of PCI DSS itself. I actually explored that angle in the wake of the TJX breach, and most of the analysts, IT pros and vendors I talked to defended the security standard. After all, it turned out, TJX was nowhere near being where it needed to be for PCI compliance.

Regardless of what one thinks of PCI DSS, it does appear that Hannaford’s was and still is working to improve its security.

But as a police officer once told me after my house was burglarized despite the burglar alarm we had installed, if the thief wants to get in badly enough, they’ll find a way.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Living in Hampstead this story really hit home as we shop there all the time. I check my debit account all the time and so far so good. Can't be too careful can we.
I think you are being too forgiving...calling Hannaford a victim rather than a villain. It took Hannaford nearly 3 weeks to inform the public of the breach. Further, Hannaford irresponsibly let customers continue to use plastic between Feb 27 and March 10 on a network that was NOT secure. To me, this is unforgiveable and an eggregious "breach" of customer trust. I loved the store (compared to the options) but will never shop there again. And, I will be helping the class action lawyers in any way that I can, since I was the true victim.
Re: PCI DSS validity What about the PCI Assessor? I'll lay odds it's not the PCI DSS, it's the assessor who either was incompetent or very lazy in determining compliance. If there are holes a mile wide in PCI DSS compliance, even though an assessor provided a compliant Report of Compliance, then it's the assessor that failed and not the standards. If this turns out to be the case, when they name the Assessment Consultancy, that company should not be allowed to do any more PCI DSS work.