Executives at Hannaford Bros. said Tuesday that the grocer expects to spend "millions" of dollars on IT security upgrades in the wake of the recent network intrusion that resulted in the theft of up to 4.2 million credit and debit card numbers from its systems.

The planned upgrades include the installation of new intrusion-prevention systems (IPS) that will monitor activities on Hannaford's network and the individual systems at its stores, plus the deployment of PIN pad devices featuring Triple DES encryption support in store checkout aisles.

Hannaford also has signed on IBM to do around-the-clock network monitoring under a managed security services deal, according to Ron Hodge, the grocer's president and CEO, and Bill Homa, its CIO. In addition, the Scarborough, Maine-based company said previously that it had replaced all of the servers in its stores as part of an effort to rid its network of malware programs that were placed on them during the intrusion.

Hodge said during a press conference this morning that Hannaford is working with IBM, General Dynamics, Cisco Systems and Microsoft on the upgrade program, which is aimed at putting "military- and industrial-strength" security controls in place. The total price tag for the security upgrades will be "a big number," he added, although the exact cost has yet to be determined. "It's going to be millions, but not tens of millions," Hodge said.

The only specific cost that he broke out was about US$5,000 per store for the host-based IPS tools that will be installed on local systems. Hannaford said previously that the data breach involved payment card transactions processed at nearly 300 stores and all of its 165 supermarkets in New England and New York, plus 106 stores operated under the Sweetbay name in Florida and 23 independently owned markets that sell Hannaford products. If the IPS technology is deployed at each of those locations, the tab for that part of the upgrade program alone would amount to US$1.5 million.

Hannaford disclosed on March 17 that unknown intruders had broken into its computer network and stolen the credit and debit card numbers as well as their expiration dates. In a letter sent to Massachusetts officials eight days later, the company said that the perpetrators had planted malware on the servers at each of the 294 affected stores.

The malware intercepted the card data as it was being transmitted from point-of-sale systems to authorize transactions, then forwarded the information in batches to a server located overseas, according to Hannaford. The incident at the grocery chain and a similar one reported two weeks later by the Okemo Mountain Resort ski area in Vermont indicate that cybercrooks are now targeting data that's in transit between systems, when it may not be encrypted or as well protected as stored data is.

During this morning's teleconference, which Hannaford held to provide an update on the measures it has been taking since the breach was discovered, Homa said that the security upgrades are focused on improving the company's "deterrence, prevention and detection" capabilities. Over the next 18 months or so, Hannaford plans to bring its security management processes into compliance with the ISO 27001 security standard, he added.