It has been over two years since the grocery chain Hannaford Brothers announced a breach of its network security that exposed over 4 million credit card numbers and led to 1,800 cases of fraud. In fact, a quick review of the Privacy Clearinghouse’s Chronology of Data Breaches shows that Hannaford is not the only supermarket chain to have sustained a data breach.
Several years ago, Ahold USA (parent company of Stop & Shop and Giant stores) sustained a breach via its subcontractor Electronic Data Systems. Numerous Stop & Shop Supermarkets in Rhode Island and Massachusetts had credit and debit card account information stolen, including PIN numbers, by thieves who apparently tampered with checkout-line card readers and PIN pads. Albertsons (Save Mart Supermarkets) in Alameda, California also had credit and debit card numbers stolen using bogus checkout-line card readers. And, Lunardi’s Supermarket in Los Gatos, California had a similar experience with ATM and credit card readers that quickly led to the theft of $300,000.
What makes the Hannaford incident noteworthy is the fact that the chain was supposedly PCI compliant at the time. According to the indictment filed against the Hannaford mastermind, the theft was a result of a hack into corporate computer networks that allowed placement of malware which, in turn, provided backdoor access to the networks — and credit card information. The means of attack was the commonly used SQL Injection Attack.
In other words, being PCI compliant should never be the ultimate goal of your security strategy. Whether you are a supermarket chain or a large law firm, a risk management approach to network security and privacy should always take precedent. Most companies — large and small — still apply a uniform approach to security that treats all data the same. The ultimate lesson learned from the Hannaford breach: Always make sure your most valuable data is always most protected. It really does not matter whether your company sells fruits and vegetables or builds nuclear missiles.