Reflecting on Hannaford: Breaches Happen, Accept It

By Lawrence Walsh  |  Posted 2008-03-28

Since Hannaford Brothers disclosed that the information on 4 million customer credit and debt card numbers was compromised, I’ve been flooded with e-mails from security vendors and consultants who want to tell me how this and other such incidents could have been prevented.

In the wake of Hannaford’s disclosure, Ronald Hodge, the supermarket chain’s CEO, wrote to customers: “We have stopped this theft and brought in top security experts to help us guard against any further attacks.”

Both assertions are utter nonsense.

Hannaford and the massive TJX breach before it prove that security is a moving target and there’s never a guarantee. Anyone who tells you that they are “100 percent secure,” “bulletproof” or, dare I say, “unbreakable” is ignorant, naïve or lying.

Even as regulators and security experts were deconstructing the TJX incident last year, retailers subject to the PCI requirements associated with securing credit card payments were making cold business decisions on compliance.

TJX, the parent company of TJ Maxx and Marshalls, chose cost savings over security when it decided not to upgrade its wireless protections. The result, as we all know, was the compromise of 94.5 million payment records. Many retailers continue to make the same decision because, if you do the math, fines for noncompliance with PCI are sometimes less expensive than improving and maintaining security.

*Want a detailed look at changes to PCI requirements? Read Baseline's Keeping Up with PCI Standards.

Hannaford, on the other hand, may have been PCI compliant. What that means is it won’t face the same scrutiny and may not owe damages to banks and credit unions as TJX did. It may face civil lawsuits for not acting quickly enough to notify affected customers, but that’s a procedural issue.

Both cases demonstrate what organizations can do with risk. There are four options:

  • Mitigate: Take steps to prevent security breaches and incidents.
  • Defer/assign: Give someone else responsibility to secure your data and infrastructure (such as a managed services provider) or get insurance to cover damages incurred as a result of a breach.
  • Accept: Understand and accept that you can only mitigate so much risk and that you will always have some level of exposure.
  • Ignore: Simply do nothing. 

It could be argued that TJX accepted its risk by choosing not to improve its security, but some would also say that it ignored the risks by not meeting PCI standards. Hannaford mitigated its risk by complying (we assume) with PCI, but the company wasn’t completely invincible.

Everyone says that security breaches and identity thefts have real costs. If you believe the Ponemon Institute’s figure stating that each compromised record costs $197 to remediate, then the TJX breach should cost $18.5 billion. In reality, remediating the damaged and punitive penalties will cost TJX only around $300 million.

People argue that it’s hard to put a price on the damage to a company’s reputation for allowing a security breach. Ahem, in the year TJX struggled with its massive breach, its sales were up 7 percent, and its stock price remained stable. In other words, there was no reputational damage.

Incidents like these demonstrate that enterprises need to do what they can to mitigate risks and then accept that a breach is still going to happen. Threats and risk are ubiquitous and evolving. IT systems are inherently flawed and vulnerable, despite the security we put in to protect them. And every enterprise is subject to the human factor: Users and hackers will always find new and innovative ways to break systems, regardless of the protections.

No matter how much money enterprises spend on security, they will never mitigate their security exposure to zero. You can’t ignore risk; that’s stupid. Everyone should make a reasonable effort to provide an adequate level of protection. That doesn’t mean bulletproof security, but there should be enough safeguards to avoid a casual, trivial breach.

At a certain point, enterprises, regulators and users must accept the fact that breaches will happen to everyone. So get comfortable with that concept, because a breach will eventually happen to you, too.

Lawrence M. Walsh is editor of Baseline magazine. What do you think of risk exposure and mitigation strategies? Send Larry your thoughts at