Reflecting on Hannaford: Breaches Happen, Accept ItBy Lawrence Walsh | Posted 2008-03-28 Email Print
WEBINAR: Live Date: December 14, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Modernizing Authentication — What It Takes to Transform Secure Access REGISTER >
Hannaford Bros. breach proves, yet again, that there's no such thing as "unbreakable" security.
Since Hannaford Brothers disclosed that the information on 4 million customer credit and debt card numbers was compromised, I’ve been flooded with e-mails from security vendors and consultants who want to tell me how this and other such incidents could have been prevented.
In the wake of Hannaford’s disclosure, Ronald Hodge, the supermarket chain’s CEO, wrote to customers: “We have stopped this theft and brought in top security experts to help us guard against any further attacks.”
Both assertions are utter nonsense.
Hannaford and the massive TJX breach before it prove that security is a moving target and there’s never a guarantee. Anyone who tells you that they are “100 percent secure,” “bulletproof” or, dare I say, “unbreakable” is ignorant, naïve or lying.
Even as regulators and security experts were deconstructing the TJX incident last year, retailers subject to the PCI requirements associated with securing credit card payments were making cold business decisions on compliance.
TJX, the parent company of TJ Maxx and Marshalls, chose cost savings over security when it decided not to upgrade its wireless protections. The result, as we all know, was the compromise of 94.5 million payment records. Many retailers continue to make the same decision because, if you do the math, fines for noncompliance with PCI are sometimes less expensive than improving and maintaining security.
*Want a detailed look at changes to PCI requirements? Read Baseline's Keeping Up with PCI Standards.
Hannaford, on the other hand, may have been PCI compliant. What that means is it won’t face the same scrutiny and may not owe damages to banks and credit unions as TJX did. It may face civil lawsuits for not acting quickly enough to notify affected customers, but that’s a procedural issue.