A serious data breach at the Hannaford Bros. Co. supermarket chain exposed as many as 4.2 million credit and debit card numbers to identity fraud.
In a statement released Monday on the Maine-based Hannaford website, President and CEO Ronald Hodge said the company had contained an intrusion of its computer network that resulted in the theft of customer credit and debit card numbers. The data was illegally accessed from Hannaford's computer systems during the card verification transmission process in transactions, he said, adding that Hannaford is cooperating with credit and debit card issuers to protect customers who were affected.
"Hannaford was first made aware of suspicious credit card activity on Feb. 27, and immediately initiated a comprehensive investigation with the assistance of leading computer security experts," he said. "We would advise customers that have made purchases at our stores using credit and debit cards over the last three months and who suspect that their accounts may have been compromised [to] immediately notify their card issuer or bank. Even if customers do not suspect fraudulent use of their credit or debit cards, it is always important to review billing and bank statements monthly."
The incident presents an unpleasant case of déjà vu for banks across the Northeast that were forced to reissue millions of credit cards following the security breach at Framingham, Mass.-based TJX Companies Inc. that ultimately affected more than 94 million credit card numbers. In this latest incident, banks in the Northeast and Florida face the task of blocking and reissuing hundreds of thousands of credit and debit cards, perhaps even millions.
The Massachusetts Bankers Association (MBA) said in a (.pdf) statement Monday that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as "a major retailer." The MBA estimated that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and urged consumers to monitor their accounts. Hannaford hadn't yet been identified as the company affected when the MBA released its statement.
"The bankers association wants customers to know that this was not a problem caused by banks," said Daniel J. Forte, president and CEO of the MBA. "Each bank that received an alert from the card companies will make its own decision whether or not to issue new cards or to monitor the accounts for the time being. In either case, customers need not worry and can protect themselves by monitoring their accounts."
Data breach preparedness critical
The Hannaford breach happened despite investments made to bolster security in the last couple years. As part of its PCI DSS compliance measures, for example, the company worked with its checkout counter computer software vendor to enhance encryption and eliminate some of the credit card data that had been stored. The fact that a breach occurred anyway illustrated the need for companies to create an advance response plan.
"Obviously you should try to avoid the breach through an information security policy, compliance with which is strictly policed," said Brian Davey, a senior consultant at Teed Business Continuity. "However, a risk assessment should be conducted to determine to what extent security breaches are a threat to the organization, given the existing controls in place."
A business impact analysis process should be a part of any continuity management program to help identify the consequences should a breach occur, he said in an email interview. From there, he said, a company should set up an incident management team.
"The team should be led by a senior manager with board-level authority, and be comprised of relevant IT technical experts and business representatives plus legal, HR and public relations people," he said. "The team must be underpinned by an escalation process where at least one team member can be contacted, regardless of the day and time, by anyone who discovers a breach or other abnormal situation."
The team should be put through a drill every six months at least to validate roles and responsibilities, raise awareness, test assumptions and identify any actions required to be taken pre-incident to support an effective response, Davey said. This can be done through a facilitated tabletop exercise where the team is given an initial scenario to respond to and regular updates are provided to increase the challenge they face. The scenarios can be extended to cover not just data breaches, but also general security breaches, deliberate data manipulation, data corruption, loss of use of a data center, and so on.
Mistakes to avoid
Davey said there are some common mistakes companies tend to make after discovering a possible data breach. The first mistake is tom treat the problem as an IT issue rather than a business issue requiring a business-led response.
Another mistake is in trying to avoid responsibility for what happened and attempting to cover up the extent of the damage. Companies need to be honest from the start and take full responsibility, he said.
In his experience Davey has seen too many cases where the top brass avoid taking responsibility and look for a scapegoat to blame, "such as the UK's Her Majesty's Revenue and Customs (HMRC), which tried to blame a junior official rather than senior management taking full responsibility regardless of who is to blame," he said.