Hannaford Looks for Answers After Breach

An analyst says that it will be important to find out whether the supermarket chain was PCI-compliant.

In the wake of a security breach involving the theft of more than 2,000 credit card numbers, Hannaford Bros. officials March 18 worked to ease concerns of customers who may have been victimized.

The supermarket chain, which is based in Scarborough, Maine, and runs stores in New England and New York as well as Sweetbay supermarkets in Florida, posted a letter on its Web site from CEO Ron Hodge, saying that the company's systems are among the most secure in the industry. Hodge also said that while credit and debit card numbers and expiration dates were stolen, no personal information-such as names and addresses-were taken.

Hodge said the data was illegally taken during the transmission of credit card authorization.

However, the breach raises the question of what security measures were used by Hannaford, and whether the retail chain was compliant with credit card data security standards established by the Payment Card Industry (PCI) Security Standards Council.

Hannaford, which has set up a special team to deal with the investigation of and fallout from the breach, did not reply to a request for comment from eWEEK.

One analyst said it will be important to learn what security measures the supermarket chain had in place.

Steve Rowen, an analyst with RSR Research, said that if Hannaford was PCI-compliant during the time period the breach occurred-officials reportedly have said they discovered the breach Feb. 27-it could have implications for data encryption in general and PCI standards in particular.

"At first glance, it would appear that Hannaford is just another example of a retailer who adopted the wait-and-see attitude typical of so many retailers we've surveyed over the past years," Rowen said. "But there are key reasons to believe that the Hannaford breach was different. Hannaford CEO Ron Hodge's statement included the perfunctory mention that the company believed its protection methods to be strong."

Rowen pointed to news reports in the Boston Globe indicating that Hannaford was compliant with key industry standards, which he said further raises the question of whether Hannaford did comply with PCI standards.

"If that does, indeed, prove true, this breach could take on an entirely different meaning for the retail industry," he said.

Glenn Boyet, director of marketing and communications for the PCI Security Standards Council, said the council sets standards but does not certify or track companies to ensure compliance.

Research shows that SMBs are consistently putting out security fires. Read more here.

A spokesperson for credit card issuer MasterCard said MasterCard monitors PCI compliance based on regular reports from acquiring bank customers but does not publicly comment on the reports or comment on compliance status.

Rowen said PCI compliance is simply evidence that retailers are using business tools to protect customer information, but that by itself is not enough to guarantee against security breaches like the one at Hannaford.

"It will likely be some time before we find out, but Hannaford may well be the first of the -good guys' taking a proactive customer data security stance to be truly victimized," Rowen said.

In his letter, Hodge said Hannaford is working with card issuers to ensure those customers impacted are protected.

"We also alerted law enforcement authorities and are working closely with them to help identify those responsible," he said. "We realize this incident may raise concerns and questions for our customers, and we sincerely regret any inconvenience this attack on our system may cause you."

Dan Berthiaume covers the retail space for eWEEK. For more industry news, check out eWEEK.com's Retail Site.