The primary subject matter in this case is an in-depth look at one of the most well known data breach victims of 2008: the Hannaford Brothers grocery chain. This case can be used as a short case illustrating how an organization can become a data breach victim, the type of data criminals are interested in stealing, how they use stolen data to commit fraud and the possible legal consequences of allowing confidential information to be stolen.
To facilitate a more in-depth analysis if desired, the case and discussion questions are grouped into the following dimensions: Credit card data and processes, Credit card fraud and Identity Theft, Technical details of how the criminals accomplished the data theft and the legal aspects of the lawsuits that resulted from the data breach. Any or all of these dimensions can be explored in more depth by either the entire class or different student groups.
The basic case has a difficulty level of one or two and is suitable for a general undergraduate business course. With a deeper exploration of one or more of the above dimensions the case could be used to better understand criminal data theft and fraud in an upper-level accounting or finance course. More time spent on how the data was stolen would be appropriate for an information security course, particularly with an emphasis on information technology. It could also be used in a business law or issues course to explore the legal environment surrounding data breaches, customer notification and possible legal consequences of a data breach. The basic case is designed to be taught in three class hours and is expected to require three hours of preparation by students.
Hannaford Brothers Company is a regional grocery company with stores throughout eastern United States. On March 17, 2008 Hannaford Brothers announced that it had been the victim of a malware attack it characterized as "new and sophisticated" which resulted in over 4.2 million credit and debit card numbers being compromised. In every one of its close to 300 grocery stores in Maine, Vermont, New Hampshire, Massachusetts, New York and Florida the malware had intercepted credit and debit card data after the customers swiped their card at the checkout counters. This stolen credit card data was fraudulently used in at least 1,800 cases in the U.S. as well as Mexico, Bulgaria and Italy. On March 19, 2008 an attorney in Maine filed a class-action lawsuit against Hannaford Brothers. Other lawsuits followed shortly.
This case explores one of the most notorious data breaches of 2008--a year which according to one report had more records compromised than the preceding four years combined. Students will learn how the data was stolen, how criminals used the stolen data to commit fraud, the security standards in place to protect data and the results of the lawsuits against Hannaford Brothers.
Recommendations for Teaching Approaches
In the case typology suggested by Lynn (Lynn, 1999) this case is an "Illustrative Case". It illustrates how an organization--even when it's IT security meets industry standards--can fail to protect its customer's data when confronted with clever, high-tech criminals. Because it is an illustrative case it was designed to be used to explore a number of quite different dimensions of a data breach.
It is recommended to first discuss the timeline of the key events and responses for the data breach. That timeline is shown in the next section.
Next the instructor can explore any or all of the following dimensions: the nature of credit card data and the processes and entities involved in making a credit card purchase, how criminals use stolen data to commit fraud, how the criminals engineered the Hannaford Brothers data breach, and the legal issues Hannaford Brothers faced after publicizing its data breach. Although the case is self-contained, it is designed to allow instructors to drill down into any or all of these dimensions. …