After credit card data breach, Hannaford Bros. upgrades security

SCARBOROUGH, Maine - Hannaford Bros. here said last week that it was investing "millions" of dollars in upgraded security in the wake of the data breach that exposed 4.2 million credit and debit card numbers to potential theft.

In a conference call to update the media on the chain's efforts, Hannaford executives said the company has installed a security monitoring service from IBM and is rolling out new PIN pads that will encrypt card numbers before they are transmitted. The numbers will remain encrypted while on the company's network.

Ron Hodge, Hannaford's chief executive officer, said the 165-store chain will be using "military- and industrial-strength security going forward," including new systems to prevent malware installation, updated firewalls and intrusion-protection systems, as well as the rollout of an ISO 27001 information security management system. Asked to be more specific about the cost, Hodge said it will be "millions" of dollars, but not "tens of millions."

The host-based intrusion prevention system (HIPS) alone can cost up to $5,000 per store, said Bill Homa, chief information officer at Delhaize, Hannaford's parent company.

Homa said the rollout of new PIN pads will take a couple of months, and it could be the end of the year before the HIPS installation is complete. The ISO system could take up to 18 months to roll out. Forensic and criminal investigations of the breach are ongoing, the company said.

Hodge noted that sales volumes in the wake of the breach "have remained within our expectations - there has not been a drop in sales."