The warning point here -- and the aspect that's attracting a fair amount of attention -- is the endpoint-based nature of the breach. The malware -- which may have been custom-fashioned for the Hannaford Bros. attack -- worked locally, rather than seeking to penetrate central datastores.
In other words, every point in your network must be hardened and re-hardened, not just the core and, tellingly, not just the conduits through which sensitive data moves inward from the endpoints.
It's a test that Hannaford failed 300 times -- or 4.2 million times, depending on your perspective.
One thing the company is doing right, from my perspective, is being absolutely upfront -- as in opening page -- about the breach.
Take a look at the Hannaford Bros. Web site and the first thing you see is a credit card scam alert banner.
Included in the notification is a good letter from the company ceo, as well as a pretty good Q/A.
Been better, needless to say, if Hannaford had been in front of all of its endpoints; but failing that, they've taken a strong public stand without too much waffling or dodging, and that's a good lesson.