Hannaford Data Breach is Likely Much Worse Than Reported

By PatB
Contributing Writer, [GAS]

Hannaford Brothers Supermarkets, a large New England grocery store chain, reported that they suffered a data breach.  The store’s network was penetrated and hackers were listening in during credit card authorizations.  Already, there are 1,800 confirmed cases of fraud associated with the breach.  At risk are 4.2 Million additional credit card accounts.

From WBZ here:

A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday. Credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough.

“We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement released Monday.

The company urged its customers to monitor their credit and debit cards for unusual transactions and report any problems to authorities.

I happen to speak fluent security-breach double speak.   When Hannaford says that the breach began on December 7th, they mean they only have logs dating back that far.  When the CEO says they are taking aggressive steps to augment their network security, he really means that they are going to get a firewall, an IDS, and start segmenting their database from the rest of the network like they are supposed to do.

And when the Vice President of Marketing gets quoted in the press talking about the security breach, it means that there is no CIO (Chief Information Officer) at the company.  It means their network was designed haphazardly with only a minimal thought to security.  What, they couldn’t get a quote from the President of Marketing?  How does the dairy stocker in store 413 feel about the breach?  He probably knows as much about network security as the Marketing VP.

All of this means that as the days go on, you will see more and more headlines talking about this breach being much worse than originally thought. The number of fraud cases will climb precipitously… and no one will be fired from Hannaford.

If you shop there and have used a credit card, get a copy of your credit report ASAP.

By law, you get one free credit report per year. You can contact them below.

Equifax: 800-685-1111; www.equifax.com

Experian: 888-EXPERIAN (888-397-3742); www.experian.com

TransUnion: 800-916-8800; www.transunion.com

If unauthorized changes in your credit reports are detected, you may be a victim of identity theft. A great resource to help guide you in recovery from identity theft is at the FTC here.

Advertisements
Advertisement




31 Responses to Hannaford Data Breach is Likely Much Worse Than Reported

  1. You are absolutely right, but consider this also:

    As these are not geeks talking about issue, how do we even know that it was a network breach? It could very well have been facilitated by someone on the inside.. a "ticket to ride" rather than a breach..

  2. You are absolutely right, but consider this also:

    As these are not geeks talking about issue, how do we even know that it was a network breach? It could very well have been facilitated by someone on the inside.. a “ticket to ride” rather than a breach..

  3. Tony,

    thanks for the comment. Yes, it certainly could have been an insider. But because the company was so large, they have no CIO and couldn't pay attention to their network security for months while a breach was in progress, I'm going to stick with the theory that they were simply "doing it all wrong" rather than a nefarious plot.

    And I bet the hack was ridiculously easy too. The same thing was happening to TJMaxx for months before they noticed.

  4. Tony,
    thanks for the comment. Yes, it certainly could have been an insider. But because the company was so large, they have no CIO and couldn’t pay attention to their network security for months while a breach was in progress, I’m going to stick with the theory that they were simply “doing it all wrong” rather than a nefarious plot.

    And I bet the hack was ridiculously easy too. The same thing was happening to TJMaxx for months before they noticed.

  5. Ayup.. another thing to consider (my post for tomorrow talks about this) is that there are many more "Hannafords" – that is, chains big enough to have data worth stealing but small enough that their defenses are probably weak or non-existent..

  6. Ayup.. another thing to consider (my post for tomorrow talks about this) is that there are many more “Hannafords” – that is, chains big enough to have data worth stealing but small enough that their defenses are probably weak or non-existent..

  7. Exactly. It was a surprise to me that TJMaxx would be so slack. But with my experience, its not such a stretch at all that a grocery chain would be like this. Remember, Home Depot was running an wireless connection that was hacked and guys in the parking lot were sniffing cc transactions.

    Its funny. If you go to an online store and they don't seem secure you wouldn't think twice about using a competitor. But walk into the local gas station and jiffy mart? People slap down their credit card every time.

  8. Exactly. It was a surprise to me that TJMaxx would be so slack. But with my experience, its not such a stretch at all that a grocery chain would be like this. Remember, Home Depot was running an wireless connection that was hacked and guys in the parking lot were sniffing cc transactions.

    Its funny. If you go to an online store and they don’t seem secure you wouldn’t think twice about using a competitor. But walk into the local gas station and jiffy mart? People slap down their credit card every time.

  9. Actually, TJX didn't surprise me – I did some consulting for them years ago and didn't think much of their IT department then.. I bet there have been some big shakeups now..

    The little jiffy mart is a good example. It's probably a chain, and it probably operates on tight margins.. which could mean weak and underpaid/understaffed/highly stressed IT with a crappy budget.. nice target..

  10. Actually, TJX didn’t surprise me – I did some consulting for them years ago and didn’t think much of their IT department then.. I bet there have been some big shakeups now..

    The little jiffy mart is a good example. It’s probably a chain, and it probably operates on tight margins.. which could mean weak and underpaid/understaffed/highly stressed IT with a crappy budget.. nice target..

  11. They also typically place their tiny cisco routers or DSL boxes in the back rooms adjacent to the bathrooms too. No physical security at all.

  12. They also typically place their tiny cisco routers or DSL boxes in the back rooms adjacent to the bathrooms too. No physical security at all.

  13. :-)

    Ayup. I've been in the "router/bathroom" rooms.. more often for reasons having to do with the router..

    I also love the "We don't know where it is" places.. the wires disappear into the wall and it can be such fun finding the source.. and what's this "Cisco" you mention? I think you are more likely to find a $50 Linksys..

  14. :-)

    Ayup. I’ve been in the “router/bathroom” rooms.. more often for reasons having to do with the router..

    I also love the “We don’t know where it is” places.. the wires disappear into the wall and it can be such fun finding the source.. and what’s this “Cisco” you mention? I think you are more likely to find a $50 Linksys..

  15. Its been a while, but I still see the 7-11's in my area using old cisco boxes for vpn back to corporate. Same with automotive companies from sam's used cars to bill's new chevys.

  16. Its been a while, but I still see the 7-11’s in my area using old cisco boxes for vpn back to corporate. Same with automotive companies from sam’s used cars to bill’s new chevys.

  17. They knew didn't contain it for 3 months? What does that mean in doublespeak?

    GAH that pisses me off….the only reason I have used my card there is when I went to see my daughter and bought her groceries. Def within that time period.

    • Actually, they discovered the breach on the 27th of February, Gins. They reported it 2 and a half weeks later. They realized that it had been going on since the 7th of Dec.

      As far as doublespeak goes, this is what it means: 2.5 weeks were spent determining their liability and how to continue their business and plug the holes at the same time. This is not so bad- every business has to be able to do this in case it happens. The real question is: Did they have a working plan in place for such a disaster? Probably not, which caused part of the delay in reporting.

  18. They knew didn’t contain it for 3 months? What does that mean in doublespeak?
    GAH that pisses me off….the only reason I have used my card there is when I went to see my daughter and bought her groceries. Def within that time period.

    • Actually, they discovered the breach on the 27th of February, Gins. They reported it 2 and a half weeks later. They realized that it had been going on since the 7th of Dec.

      As far as doublespeak goes, this is what it means: 2.5 weeks were spent determining their liability and how to continue their business and plug the holes at the same time. This is not so bad- every business has to be able to do this in case it happens. The real question is: Did they have a working plan in place for such a disaster? Probably not, which caused part of the delay in reporting.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.