Hannaford Bros. chain says it has upgraded monitoring in wake of identity thefts
Hannaford Bros. Co., which has two dozen supermarkets in the Capital Region, says it has taken extraordinary measures to protect shoppers from the identity theft that exposed millions of debit and credit card numbers more than a year ago.The moves include hiring General Dynamics Corp. to help the Maine-based grocery chain upgrade its network security infrastructure.
"They're the premier cyber security contractor for the Department of Defense," Hannaford spokesman Michael Norton told the Times Union in an interview on Friday.
Hannaford detailed its new information security plan just days after federal authorities in New Jersey said they believe the man responsible for the security breach is Albert Gonzalez, a 28-year-old Miami resident who has been in custody since 2008 on other federal computer hacking charges. A federal grand jury indicted Gonzalez on Monday, and he faces up to 35 years in prison and millions of dollars in fines if convicted.
Despite its use of new technologies and security protocols, Hannaford won't say its data networks are 100 percent hacker-proof.
But using debit and credit cards at the company's stores is likely safer than it was in December 2007 when Gonzalez and a crew from Russia allegedly hacked into Hannaford's network to expose 4.2 million account numbers.
Hannaford has not experienced any data breaches since it uncovered the theft in March 2008, but Norton says feeling good about that doesn't help companies like Hannaford keep data safe.
"It's not a situation where you want to sit on your hands," Norton said. "It had never happened before, and that's where we want it to be. It was sophisticated. That said, we don't want to take for granted that there aren't people out there with equal capability. There's people trying to do bad things."
When news of Gonzalez's indictment broke Monday, Hannaford referred questions to the U.S. Attorney's Office in Newark, N.J., and issued a statement that it was "pleased" that federal authorities had aggressively pursued the case to bring an indictment.
Norton said Friday that "talking about it isn't always contributing to the security."
But he revealed that in addition to hiring General Dynamics, Hannaford is using a security monitoring and detection service from IBM Corp. that provides instant alerts of "intrusive traffic" on its network.
The company has also implemented what's known as Triple DES PIN encryption, which Norton says is the highest level of PIN number encryption available. And Hannaford installed new intrusion prevention systems to prevent so-called malware, or malicious software, from being installed on its system. Federal authorities say that Gonzalez installed malware on the Hannaford system to help reveal account numbers.
Hannaford won't say what the new upgrades cost the company, but Norton did say that some expenses the company incurred went above its existing security budget.
"The bottom line is you just have to be diligent," he said. "It really is detail work. I think we're doing the right kinds of things. We're monitoring for new threats, not just simply thinking of old threats."