The message on The Home Depot’s website earlier this week links to a page that makes dismal reading. Could this breach be the largest in history?
Home Depot, America’s fourth largest store with an annual revenue of $78.8 billion, suffered what is believed to be the biggest ever data breach involving 60 million payment cards. In an in-depth analysis, we probe questions surrounding the investigation and the impact this will have had on Home Depot’s brand and customer base.
This breach could be the largest ever. How is The Home Depot reacting?
It would seem from continuing coverage that the retailer has yet to say what was stolen, although experts fear the attackers may have gotten away with details of more than 60 million payment cards, which would exceed the number taken in last year’s unprecedented hack attack on Target Corp (TGT.N).
The investigation began on Tuesday morning, September 2, immediately after the company received reports from its banking partners and law enforcement that criminals may have hacked its payment data systems.
So said The Home Depot’s press release, issued on Tuesday 8 September.
So, what is the likelihood of millions of customer accounts being robbed?
Without the evidence from a full investigation, there is no way of saying definitively what the true impact has been and is likely to be… but, we can use the examples of previous data breaches and surveys gathered from within the data security industry to gain a sense of the likely threat level.
And do remember, The Home Depot is offering free identity protection services, including credit monitoring, to any customer who has shopped at a Home Depot store in 2014, from April on; i.e. from circa six months ago. The effects of this breach are already being felt if payment card details have been stolen and used fraudulently – as would appear to be the case.
How long does a hacker need to sell c.60 million payment card identities?
The Verizon 2014 Data Breach Investigation Report contrasted how long it takes the attacker to compromise an asset with how long it takes the defender to discover this. To quote the report: “We chose to peg this on “days” to keep things simple and stark (one might also add “sad” to that alliteration).” And it certainly is “sad” that most breaches take months to discover and are found by third parties in an average of 70-80% of attacks.
If the Home Depot hack dates back to April, should we care how long it took before the public were informed through the breaking news story? There is the matter of your card data being sold on in the time elapsed. Accomplished hacking gangs would only need a few hours to pull off the hack of the century once they have gained access and the compromised passwords to start downloading. It certainly helps them in their criminal endeavour if the crime doesn’t come to light for months after – whether that’s due to ignorance of such a large breach… or a deliberate fault.
Did The Home Depot know about the attack before 2 September, 2014?
A federal investigation may well find this out. For certain, though, a lot of people will want the Feds to leave no stone unturned. Exactly who knew, and when? And whatever the lawyers say about it, the People will tweet!
No one is saying that The Home Depot has deceived us; the truth is that we the public simply do not know what has happened for certain at this juncture. Detailed investigations, both internal and by state and federal officers, are likely to establish the truth. What we do know based on the news coverage this week is that two U.S. senators have asked the federal government to investigate this data breach on the payment-card processing systems of Home Depot Inc, and that five U.S. states have launched a probe into the matter as, to quote the newswires, “fallout from the attack intensified” [Reuters, Tuesday September 9, 2014].
There could be serious legal consequences for The Home Depot and its board if a federal investigation finds them to be negligent in this case. U.S. senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut have called on the Federal Trade Commission to investigate, saying in a statement: “If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information … Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act” [Source: Senators Want Probe of Home Depot Hacking, Newsmax, September 10, 2014]. Has The Home Depot been “unfair and deceptive” in the way that it has handled news of this assumed to be massive attack? This question could turn out to be a lot more important to the average American shopper than whether the U.S. retail industry’s woefully sluggish introduction of more secure chip-and-PIN technology is a significant factor. Large numbers of people are likely to react aggressively if there is even a suggestion that The Home Depot board kept a large data breach a secret.
Industry commentators are vocal about the lack of security in U.S. retail
Pundits and cybersecurity technology specialists are queuing up to point out what is wrong with the U.S. retail market’s stance on cybersecurity. Russ Spitler, VP of product strategy for AlienVault, said the following:
“Hackers are certainly not worried about any potential changes in our credit card infrastructure. When a fox sees a hen he doesn’t think of the eggs …
“We are seeing a stark reality of the economic incentives the hackers are exploiting. Major retail chains are easy targets because they have not invested in cybersecurity. Banks are no longer easy targets, they have fortified themselves and even built protections for their consumers, but point of sale systems originally designed and built years ago are easy places to grab a foothold. Hackers are focusing on retailers because ‘that is where the money is’ – it is the easiest target with the greatest reward. These criminals are doing the cost analysis of the investment they need to make to breach a target and what they are going to get in return. We have just seen reports of incredibly sophisticated attacks against major wall street banks – customised malware and long campaigns – if that is what it takes to break into a bank, no wonder the bigger breaches are focusing on the less sophisticated targets with just as large an economic potential.”
The issue of detecting the cyber crime in time to act effectively is also a popular topic in discussion groups as the penny drops about how long it has taken to wake up to the breach. Michael Sutton, VP of research, Zscaler Labz, said, “Beyond implementing chip and PIN technology, retailers have a long way to go when it comes to implementing appropriate detective security controls that would mitigate the damage from these attacks by identifying them as quickly as possible should they occur. It is concerning that gigabytes of credit card data can be siphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to.” [Source: Eskenzi PR].
There will be hard questions for The Home Depot and other U.S. retailers to answer about cybersecurity. Serious steps will need to be taken – soon!
Will another CEO be stepping down following this colossal data breach?
In February, Forbes reported: Target Profit Falls 46% On Credit Card Breach And The Hits Could Keep On Coming. Will The Home Depot’s profits be similarly affected following their announcement yesterday?
The Home Depot’s veteran CEO, Frank Blake, could perhaps find himself in a similar position to Target’s CEO, Gregg Steinhafel. See Forbes’ blog Target CEO Fired – Can You Be Fired If Your Company Is Hacked?
Being the founder may not save the CEO of any board in this situation.
Data breach incidents now ‘commonplace’ – every organisation ‘at risk’
Eric Basu’s incisive comment in his Forbes article says it all (remember? The one about corporate CEOs getting fired as a result of cyber breaches): “The loss of corporate data, violations of privacy laws and the degrading or total shutdown of business operations is becoming commonplace in today’s connected environments. These incidents put every organization — and executive team member — at risk.” – Every board in every sector!
As I reported my last blog post: Cyber crime has become a business that exceeds a trillion dollars a year in online fraud, identity theft, and lost intellectual property. It affects millions of people around the world, as well as countless businesses and the governments of every nation. But don’t take my word for the depressing numbers – the United Nations said this in 2011. Word for word (Cybersecurity: A global issue demanding a global approach. December 11, 2011. New York). Like The Home Depot, global cyber crime is really big business. So big, in fact, it’s threatening to take over our lives in the remainder of this decade if we do not act right now.
How do we fix this mess before we all lose faith in corporate governance?
The business case for managing cyber risk is clear. A comprehensive, business-wide risk assessment is critical, covering both current and emerging risks. The risk profile will be different for all organisations, and risks should be assessed as both strategic and operational. The level of risk tolerance a company is prepared to accept should be set by the board and this, together with the management of cyber risks, needs to be based on full information on the vulnerability of the company, and the consequences of cyber attack. Resources can then be deployed in the most crucial areas and in the most cost-effective way. Control procedures should be monitored and reviewed regularly by the board to assess their effectiveness, and should include the appointment of key risk individuals who are ready to respond quickly to minimize the consequences of any cyber attack. Regular assessment of identified cyber attacks will show where internal controls and procedures have broken down and need to be improved.
Have you carried out a cyber-security risk assessment using outside help?
Time to book a penetration test and take advice from the professionals?
KrebsOnSecurity claims that an investigation into the alleged Home Depot security breach identified a variant of ‘Black POS’, the same malware that affected Target point-of-sale systems. According to the site, credit card numbers stolen from Home Depot have already turned up for sale on black market sites.
Here’s an example of a page taken from one “black market site” [Source: KrebsOnSecurity – see his excellent article on The Home Depot breach.]
Graphic: Stolen credit cards for sale on Rescator’s site, indexing each card by the city, state, and ZIP of the retail store from which each card was stolen.
We can help you to implement effective cybersecurity procedures and controls using ISO27001.
ISO27001 is the international information security management best-practice Standard that will help you protect your information assets, comply with local compliance requirements and thrive as you give your customers confidence that their information is protected.
Leverage our ISO27001 expertise 24/7 to protect your information assets anywhere in the world. Our four structured solutions enable any organization to implement ISO27001 at a speed and budget that is appropriate for their individual needs and preferred project approach.
Find out more about our ISO27001 solutions.
No comments: