Nov. 23 – The immediate annoyances of Hannaford’s recent network outage are over: Customers can once again order groceries through the company’s website and use their credit cards to buy food and medicine at Maine’s largest supermarket chain.
But two weeks after Hannaford’s online systems crashed and its parent company, Ahold Delhaize USA, announced it had “recently discovered a cybersecurity issue,” it is still unclear how dangerous the problem is and whether customer or employee information was compromised.
Ahold Delhaize USA posted a statement on November 8 saying it was conducting an internal investigation with cybersecurity experts and had notified law enforcement. Hannaford has repeatedly declined to say which agency is handling the case.
“We continue to work with leading third-party security experts as part of this process, and have notified and are working with law enforcement authorities on this matter,” said Hannaford spokesperson Ericka Dodge. “As the investigation is ongoing, we cannot release any further details at this time.”
Hannaford has 9,500 employees in 68 stores in Maine, and approximately 30,000 employees in 189 stores in Maine, New Hampshire, Vermont, Massachusetts and New York.
The situation is “very reminiscent of a ransomware attack,” said Brian Ray, founder and director of the Center for Cybersecurity and Privacy Protection at Cleveland State University School of Law. “Something quite dramatic happened because they had to take systems offline or they were already offline due to an attack,” he said.
It’s quite common for companies to delay reporting information to the public until they know the extent of the problem, although Ray says they should act as quickly as possible.
FBI RESPONDS AND ADVISES
As of Friday, neither Ahold Delhaize nor Hannaford had reported a data breach to the Maine attorney general’s office as required.
But data breach is a specific term that indicates digital information has been compromised, Ray said, and investigators working on the Ahold Delhaize case may not have reached that conclusion yet.
Ray said the FBI is “almost certainly” the agency leading the investigation. It has a robust national system of teams specialized in monitoring and responding to international online “threat actors” and the various consequences when online systems are compromised, Ray said.
A ransomware attack is a cybercrime in which a third-party actor infiltrates an online system, encrypts the victim’s data, and then demands a ransom in exchange for a decryption key or code to regain access to the locked files.
Typically, the attacker gains access through phishing emails, malicious links, or software vulnerabilities.
While many institutions and companies have anti-malware software and other protocols in place to prevent cyber attacks, these must be updated regularly to be effective. Cybercriminals are constantly looking for cracks in system defenses.
Many companies avoid paying the ransom for two reasons: they don’t want to encourage ransom attacks, and they don’t want to break the law by potentially supporting terrorism or any other threat to U.S. security.
“The FBI has been encouraging companies not to pay ransoms for years,” Ray said. “Companies are concerned that they will be punished by the Office of Foreign Assets Control for directly or indirectly providing financial support to federally sanctioned entities.”
OFAC is a division of the U.S. Department of the Treasury that imposes economic and trade sanctions against targeted foreign jurisdictions, regimes, and other national security threats, including terrorists and international drug traffickers.
“Responding to a cyber attack is a very difficult, complicated and uncertain process, especially if your system has been compromised,” says Ray. “There’s a whole spectrum of things that can happen. Sometimes companies get a direct ransom demand, but not always.”
CYBERCRIMINALS HIDE THEIR TRACKS
Companies that are prepared will typically activate an incident response plan and bring in legal and forensic specialists to help navigate the process, Ray said. But at first it’s often unclear exactly how a system was hacked, and cybercriminals are used to avoiding detection.
“Companies must prevent further damage to the system and prevent information from being compromised,” says Ray. “But these threat actors are becoming increasingly sophisticated at hiding their tracks and making it difficult to figure out where they’ve been.”
That process becomes even more complicated if the attack involves multiple entities on different systems, he said, which could be the case with Ahold Delhaize USA, a Dutch-Belgian company that also includes Hannaford and several other East Coast supermarket chains.
While federal and state law enforcement authorities require companies to report cyberattacks, they can delay reporting until they know what’s happening, which could take days or weeks, Ray said.
“Until you’re reasonably sure what happened, you don’t want to report it,” he said. “You don’t want information to come out in small increments and confuse people even more.”
However, once companies believe customer or client information has been compromised, they should disclose exactly what happened, Ray said. This should include an explanation of what steps are being taken to address the breach and what steps customers need to take to protect their information.
“The challenge is knowing when you know enough without taking too long,” Ray said.
Companies may withhold information from the public because they don’t want to appear vulnerable to cybercriminals or jeopardize ransom negotiations, he said.
The FBI also has no interest in early disclosures and can ask companies not to disclose information, Ray said. In some cases, the agency has hired agents from cybercriminals and does not want to jeopardize ongoing investigations, Ray said.
“It’s an incredibly advanced game and you want to show that you have everything under control,” he said.
Because Hannaford and other Ahold Delhaize USA online systems were affected in a very public way, they did not have the luxury of not acknowledging it, Ray said.
“The responsibility is to ensure they get a handle on it and take steps to mitigate the impact,” he said. “In this case, the interests of the company and the customers are aligned.”
BUILDING AND MAINTAINING TRUST
Ahold Delhaize’s Nov. 8 announcement was short and sweet, even, compared to Hannaford’s typically more personal, community-oriented efforts to promote healthy, time-saving grocery shopping solutions.
“We apologize for any inconvenience this issue may have caused to customers and partners,” the statement said.
The announcement was no longer posted on the company’s website on Friday.
But while the public may have grown accustomed to repeated reports of data breaches, PR and branding experts say it’s a mistake to let customers worry or even wonder for too long about the personal consequences.
“The worst thing a company can do is go dark,” says Rich Brooks, president of Flyte New Media, a branding, web design and digital marketing firm in Portland.
“As soon as a company stops answering questions, people will fill it with whatever,” Brooks added.
Companies build trust with customers over time, he said, creating a bank they can draw on when problems arise. But regaining that trust can be difficult.
“It’s just how you deal with it,” Brooks said. “They may have very legitimate reasons why they can’t say anything, but they need to explain that and say what they will do if they find out.”
Nancy Marshall, CEO of Marshall Communications, a Maine public relations firm that specializes in crisis management, said Hannaford is fortunate to have built a trustworthy reputation.
“I understand that the public wants to know what’s going on, but it’s almost dangerous for them to speculate about what’s happening,” she said.
But whenever a company faces a customer relationship crisis, “my advice is always to show compassion for the victims,” Marshall said.
In this case, Hannaford customers are potential victims of a cybersecurity problem, she said.
“They need to reassure them that they are doing absolutely everything they can to get to the bottom of this and make sure their information is safe,” Marshall said.
Copy the story link
