Hannaford Data Breach: Lessons in Crisis Management
Hindsight is always 20/20 -- a mistake gone public is an opportunity for the rest of us to discuss and learn from. Unfortunately, like Britney Spears, a mistake you wish would be swept under the rug can be publicized and blown out of proportion. In today’s social media environment, the need to be transparent and accountable is greater than ever.
Rapid7 provides security technology to the supermarket chain, Hannaford. It was reported this week that stolen data was accessed from Hannaford's computer systems during the card verification transmission process in transactions. Upon hearing of the breach, Rapid7 promptly removed all references to Hannaford from its Web site in an attempt to remove any links to the fact that its security technology failed to do its job (mistake #1).
Good crisis management in the past has proven that facing issues head on, owning them and talking about what happened openly is the best course of action. What is there to discuss after owning up to a mistake?
Hannaford reappeared on Rapid7’s Web site on Thursday with this response (mistake #2):
“While Hannaford Brothers have confirmed that a recent breach resulted in the theft of sensitive data, Hannaford has also confirmed that NeXpose continues to provide exceptional vulnerability management and outstanding remediation reporting and the no systems within the NeXpose scan network contributed to the loss of data. Visit www.rapid7.com today to understand how NeXpose can be used to provide advanced protection against unauthorized data access.”
This is definitely on the right track, however, I think Rapid7 committed another misstep. “Yes, there was a breach, but our technology is really good, we swear!” Mmmm, I think better to report the mistake and talk about next steps in researching and finding ways to prevent this from happening again. Admitting a mistake and then following it with marketing speak? Probably not a best practice. As eWEEK Security Watch reported, "Instead of being honest about the realities, marketers offer silver bullets. We've all seen these ridiculous promises -- Total Protection (McAfee), Hacker Safe (McAfee, again), blocks all types of threats (Panda)." Businesses end up setting themselves up for failure each time with absolute statements such as this.
Network World continued posting updates to its story with trying to get answers to why information was taken off the site then put on again by Rapid7. Unfortunately, the reporter is receiving mixed responses and runaround from multiple people including the CEO (mistake #3). It seems as though lessons are going unlearned!
Mike Rothman, a security analyst, commented about this news in his daily Security Incite newsletter (http://securityincite.com/blog/mike-rothman/the-daily-incite-march-24-2008), and referenced Ryan Naraine's Security Watch blog in eWEEK (http://securitywatch.eweek.com/hannaford_data_breach_the_security_vendor_conundrum.html) as a good example of presenting both sides of the equation. Two lessons he points out that I hear all the time in this space: "PCI compliance doesn't equal security" and "There is nothing easy about security."
Posted by: Lisa E. | March 24, 2008 at 09:10 AM