Thursday, March 20, 2008

Hannaford you f-ing boneheads!

So this one hits close to home for me since I frequent Hannaford Brothers 2-3 times per week. It also hits even further close to home because I have contacted their CIO, CFO, and several folks in their IT group offering help for the past two years.


It is in my best interest to protect my information with the companies I do business with and especially those companies in my backyard.

Mr. Ron Hodge here is my list of people that I have contacted in the past two years to prevent this from happening. I will also tell you that this whole issue could have been prevented for under $200,000:

Bill Homa - CIO
Jeff Reeder - CFO
Kevin Carleton - Director of Retail Operations
Tricia Gilbert - IS Auditor
John McFarland - Enterprise Systems Team Lead

Add to this list past folks who either had the sense to leave before the sh*t hit the fan, or to bail before they were held accountable by some loudmouth like me:

Paul Fritzson - CFO
David Fournier - IT Security Specialist

If anyone from Hannaford Brothers reads this, please get back to me. I am still in a position to help, and I will wait for the phone call from Lifelock to see if the 1800 cases of fraud will include me soon.


Blogger Digitalsleet said...

I normally enjoy your blog, but this post is a bit disconcerting - publicly posting the names of people that chose NOT to contact you for your services is pretty unprofessional. As someone who manages security organizations for fortune 500 companies, I would not be likely to hire the services of someone in this industry who spoke publicly like that of businesses. You also risk smearing the innocent.

Also, how can you presume that it could have been prevented for under 200k? Without knowing where the systems were exploited what is your basis for a cost estimate? I can (without any knowledge)guess at ways the data was access and costs could run as low as low as a 50k and as high as many millions, depending on variables I cannot possibly know as an outsider.

12:03 PM  
Blogger Mark Mac Auley said...


The point of the blog was two fold - naming names to convey the importance of accountability in an organization who trades in personal data, and to cite a specific example of a situation two years ago where the knowledge I had and solution conveyed did cost under $200K and would have identified specific users, specific machines, and left an audit trail of every packet on the network tied back to that user and machine, and proactively mitigated the breach from happening since no one but the people I named would have had access to the critical systems where the data came from and went to.

In full disclosure, I am a regular customer at Hannaford, laid out a solid, simple game plan that they chose not to go with, and I no longer work for the company who was trying to help them and 100 other firms mitigate the same risk. All companies I do business with online and at the brick and mortar stores I have contacted because as much as I think their people are doing a great job, it's still my personal data, and no one but me is more invested in protecting it.

The risk of 'smearing the innocent comment' I do not understand. Google the names, titles, etc. or email your phone number and we can discuss.

Bottom line is these are the people responsible for protecting my data and I give them a certain level of trust which was broken. I don't control their systems in any way shape or form, tried to help, and I am one of the 4.2M people affected by it.

Had I not been a customer, not been one of the people whose data was compromised, and not tried to help and been calling people out on the carpet would have been not only unprofessional, but irresponsible as well.

I also run another blog at that you may want to take a look at as well.


7:31 AM  

Post a Comment

<< Home