Reflecting on Hannaford: Breaches Happen, Accept It

By Lawrence Walsh Print this article Print

Hannaford Bros. breach proves, yet again, that there's no such thing as "unbreakable" security.

Since Hannaford Brothers disclosed that the information on 4 million customer credit and debt card numbers was compromised, I’ve been flooded with e-mails from security vendors and consultants who want to tell me how this and other such incidents could have been prevented.

In the wake of Hannaford’s disclosure, Ronald Hodge, the supermarket chain’s CEO, wrote to customers: “We have stopped this theft and brought in top security experts to help us guard against any further attacks.”

Both assertions are utter nonsense.

Hannaford and the massive TJX breach before it prove that security is a moving target and there’s never a guarantee. Anyone who tells you that they are “100 percent secure,” “bulletproof” or, dare I say, “unbreakable” is ignorant, naïve or lying.

Even as regulators and security experts were deconstructing the TJX incident last year, retailers subject to the PCI requirements associated with securing credit card payments were making cold business decisions on compliance.

TJX, the parent company of TJ Maxx and Marshalls, chose cost savings over security when it decided not to upgrade its wireless protections. The result, as we all know, was the compromise of 94.5 million payment records. Many retailers continue to make the same decision because, if you do the math, fines for noncompliance with PCI are sometimes less expensive than improving and maintaining security.

*Want a detailed look at changes to PCI requirements? Read Baseline's Keeping Up with PCI Standards.

Hannaford, on the other hand, may have been PCI compliant. What that means is it won’t face the same scrutiny and may not owe damages to banks and credit unions as TJX did. It may face civil lawsuits for not acting quickly enough to notify affected customers, but that’s a procedural issue.

This article was originally published on 2008-03-28
Lawrence Walsh Lawrence Walsh is editor of Baseline magazine, overseeing print and online editorial content and the strategic direction of the publication. He is also a regular columnist for Ziff Davis Enterprise's Channel Insider. Mr. Walsh is well versed in IT technology and issues, and he is an expert in IT security technologies and policies, managed services, business intelligence software and IT reseller channels. An award-winning journalist, Mr. Walsh has served as editor of CMP Technology's VARBusiness and GovernmentVAR magazines, and TechTarget's Information Security magazine. He has written hundreds of articles, analyses and commentaries on the development of reseller businesses, the IT marketplace and managed services, as well as information security policy, strategy and technology. Prior to his magazine career, Mr. Walsh was a newspaper editor and reporter, having held editorial positions at the Boston Globe, MetroWest Daily News, Brockton Enterprise and Community Newspaper Company.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.