The Hannaford Supermarket chain suffered a data breach earlier this year that resulted in information relating to 4.2 million payment cards being grabbed. As of July 1st, Bill Homa, who had served as CIO for 12 years, stepped down from that position.

Shortly after his departure, Homa was interviewed by Storefrontbacktalk.com's Evan Schuman. In an article based on their discussion that was published July 11th, Homa shares some interesting comments regarding Microsoft, the PCI Data Security Standard, and the approach other CIOs should take towards security.

Relating to Microsoft, Homa said, "We used a lot of Linux. None of the breach was anything related to Linux. All of it was Microsoft. Homa went on to say, "Microsoft is so full of holes. That's why it's still a target. If you limit your exposure to Microsoft, you're going to be in a more secure environment."

When it comes to the PCI Data Security Standard and Hannaford's situation, including the oft-reported fact that Hannaford had recently passed a PCI compliance assessment, Homa siad, "either the standards weren't strong enough of the assessor wasn't doing his job."  Homa made his opinion particularly clear on the area where Hannaford was apparently most vulnerable - encrypting data on private point-to-point networks. "All debit and credit card transactions should be encrypted from end to end. That should be the minimum. It's astonishing that isn't the standard of PCI", Homa stated in the interview.

What was of particular interest was Homa's view of how to approach IT security. "Most retailers have the philosophy of keeping people out of their network. It's impossible to keep people out of your network. There are bad people out there", Homa said. In fact, Homa, in another part of the article, suggested that more effort needs to be focused on the assumption that the bad guys will get in and how can you limit the damage they can do.

As you might expect, Mr. Homa's comments have led to some interesting feedback. I find it especially interesting that the CIO who was in charge during the breach has so much to say less then two weeks after he left Hannaford's employment. It would be pretty easy to write this off as sour grapes, but I think we can at least take his comments about securing the data within your infrastructure as a good reminder that sooner or later, someone with malicious intent will find a way into your systems, either from within your company or from outside.

If your organization struggles to understand how your systems are configured and when those configurations change, especially as it related to the PCI Data Security Standard, you should spend some time researching configuration audit and compliance reporting solutions like Ecora Auditor Pro. It's a valuable weapon for identifying potential configuration vulnerabilities and providing you the insight needed to limit the effectiveness of anyone improperly accessing those areas of your infrastructure where sensitive customer and corporate data resides.

You do not have flash or javascript support.

Average (1 vote)

Reply