Stung by hackers, grocer encrypts customer data
The supermarket chain Hannaford Bros. Co. has spent millions of dollars on additional security measures since last month's revelation that hackers may have accessed up to 4.2 million credit and debit card numbers, it said yesterday.
The grocer, based in Scarborough, Maine, has stores in Massachusetts and several other states. It has started encrypting card numbers from the moment they are swiped at checkout counters. And it has tapped IBM to monitor security for its computer network around the clock.
But Hannaford's top security executive said some other retailers are probably still vulnerable to similar attacks. "The latest threat wasn't anticipated," said chief information officer Bill Homa. "The bad guys are one step ahead."
Hannaford told Massachusetts authorities it found unauthorized computer programs, called malware, on servers in more than 270 stores. When customers swiped their credit cards, the malware intercepted the data as it was transmitted from cash register to credit card processors.
The malware stored the data - card numbers and expiration dates - on store computers and later sent the information to offshore computers, where it could presumably be picked up by the thieves.
Hannaford has said the intrusion potentially compromised cards used between Dec. 7 and March 10, sparking at least 1,800 reports of fraud.
Homa said the company complied with all the latest credit card industry security standards. But, he said, the standards were written mainly to secure data stored on retailers' internal computers and didn't anticipate that hackers might be able to intercept credit card numbers as they were transmitted to card processors for authorization.
Homa said some chains have decided on their own to encrypt credit card numbers from the moment they are swiped to prevent similar thefts, but "it's spotty," potentially leaving other chains vulnerable.
As in an arms race, computer security professionals say they are constantly forced to update their defenses to fend off the hackers' latest tactics and weapons.
"It's an ever-escalating issue," said David Hogan, chief information officer for the National Retail Federation, a trade association. "It's like building a wall around your credit card data. Your professional hacker just builds a taller ladder."
Homa said retailers not only have to take measures to keep intruders out of their networks, but also must make sure the data are as secure as possible even after hackers break in.
"Instead of just keeping people out of the network, assume people are already in," he said.
But Homa said retailers are sometimes "at the mercy" of software companies, which must first update their programs with the latest security features.
Homa said Hannaford would have implemented some of the new security measures sooner, but was waiting for its technology vendors to provide updated software.
It's still unclear whether Hannaford was victimized by an insider or an intruder. Homa said he could not divulge details about the security breach because of pending litigation and criminal probes.
Hannaford's chief executive, Ronald Hodge, said customers haven't stopped shopping at its stores, though.
"Our sales have remained within our expectations over the past five or six weeks," he said. "We are very encouraged by that."
Todd Wallack can be reached at twallack@globe.com.
rising
falling 