Hannaford spending millions to upgrade after security breach

PORTLAND – Hannaford Bros. Co. said Tuesday it is spending millions of dollars to enhance the security of its data network after a massive security breach that exposed up to 4.2 million credit and debit card numbers to fraud.

It was during the card approval process that customer accounts at grocery stores in the Northeast and Florida were compromised from Dec. 7 to March 10. That exposure occurred even though the company met the latest standards for data security.

Company officials said Tuesday that the new measures include encryption of all card numbers during the entire time they are within the supermarket’s data network. Hannaford also said it has installed a “24-7-managed security monitoring and detection service” from IBM to detect intrusions.

Hannaford President and CEO Ron Hodge apologized again Tuesday to customers for concerns and inconvenience they experienced because of the breach and reported that there has been no drop in sales since it was announced five weeks ago.

He called it one of the biggest challenges in the Scarborough-based company’s more than 100-year history.

In a conference call with reporters, Hodge and Bill Homa, senior vice president and chief information officer, declined to address the cause, scope and nature of the breach, citing the ongoing criminal investigation and pending litigation.

Hannaford previously blamed unauthorized software that was secretly installed on its servers for the data breach, which has been linked to about 1,800 cases of fraud. Accounts were stolen during the seconds it takes for information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines.

Card numbers now are encrypted from the checkout line to the server in the store and onto Hannaford’s corporate office, where the data are transferred to a machine run by its credit card processor, Homa explained later in an interview.

Before the data breach, the credit and debit card number and expiration dates were not encrypted from the store server to the company headquarters, Homa said.

“We’ve encrypted everything under our control in our environment,” he said, explaining that some of the security upgrades were in the works before the breach came to light.

Avivah Litan, security analyst at Gartner Inc., said Hannaford’s encryption changes exceed industry standards and will leave the company with higher state-of-the-art technology than their payment processors when it comes to protecting data in transit.

“They’ve actually gone above and beyond the call of duty,” Litan said. “If you encrypt data in transit and you encrypt data in motion, you really eliminate much of your risk.”

The Hannaford case is among the largest security breaches on record but is much smaller than the tens of millions of credit cards that were exposed at TJX Cos. of Framingham, Mass.