Breach at Home Depot?
Friday September 5 2014
The US retailer could be the latest victim of yet another credit card fraud scandal
[Updated 5 September, 10:00am BST, to include updates from Home Depot CEO]
It’s understood that US home improvement retailer Home Depot is currently working with law enforcement to investigate what was termed ‘unusual activity’ relating to customer data.
At an investor conference this week, outgoing CEO Frank Blake said the company was "working around the clock" since Tuesday morning to resolve the "potential data breach" but didn't confirm that a breach had actually occurred.
"When faced with an issue like this you have a choice," said Blake. "You can wait to communicate or you can communicate the facts as you know them. We chose the latter path. The downside of that is we cannot answer all of the questions."
During the conference, Mr. Blake said cybersecurity was a major issue for many people including Home Depot and explained the company had invested in new credit-card terminals at cash registers that take chip and PIN credit and debit cards, but that it hadn't yet activated the chip-reading technology on them yet. It's understood the retailer will do so by the end of 2014.
Cards in the cybercrime underground
A new batch of stolen credit and debit cards recently went on sale in the cybercrime underground, according to security blogger Brian Krebs who first broke the news that Home Depot stores could be the source of the data. The size of this particular breach has yet to be determined but it’s anticipated that it could potentially end up having a larger impact that the breach at Target, which compromised over 40 million payment cards.
Home Depot made an announcement this week confirming the retailer was "looking into some unusual activity that might indicate a possible payment data breach" and confirming it was working with its banking partners and law enforcement to investigate.
"We know that this news may be concerning and we apologise for the worry this can create," continued the statement. "If we confirm a breach has occurred, we will make sure our customers are notified immediately."
The statement went on to reassure customers that they would not be responsible for any possible fraudulent damages. "The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach," said the note, which recommended customers monitor their accounts for unusual activity.
"If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers," concluded the statement.
Attacking in-store rather than online
Reacting to the news, Rob Cotton, CEO at global information assurance firm NCC Group, commented that the typical physical controls and defences in a retail outlet, coupled with the transient nature of staff, means the initial attack vector could be in–store, as opposed to the internet.
"It's often forgotten that POS devices are simply general purpose PCs and are therefore subject to similar dangers and vulnerabilities,” said Cotton. "The retail sector is an industry which relies on compliance driven security, but this is an ineffective model which won't always achieve the intended goals. With the number of high-profile breaches growing rapidly, retailers need to get on the front foot and be proactive about protecting their customers and systems."
Chip and PIN
While the full scope of the potential breach remains to be seen, given the number of Home Depot stores and the volume of daily transitions, it is possible that this will rival the Target breach in terms of impact, according to Michael Sutton, VP of research at Zscaler Labz. "These breaches could largely be avoided if US retailers adopted the 'chip and PIN' technology mandated in debit or credit cards in most industrialised countries.”
Sutton says this technology has not been widely adopted in the US primarily due to lobbying by retailers who were concerned about the cost of implementing the technology.
"Retailers are now seeing first hand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach," he said.
“It is also concerning that in virtually all of the breaches that we've seen over the past year, the attack is almost always uncovered not by the retailer, but by payment processors or law enforcement officials after detecting anomalous transaction patterns and generally after card data has been stolen for weeks or months.”
Tough year for security
"Home Depot could yet be another victim of credit card theft this year,” commented Stephen Coty, chief security evangelist for Alert Logic. “They are in good company with Target, Michael's, Specs, Neiman Marcus, P.F. Changs, and White Lodge.”
“This trend shows us that retailers are having a tough year keeping ahead of their malicious adversaries,” continued Coty. “It's being reported that the malicious actors were on the Home Depot network for almost 5 months. This really highlights the need to make the proper investment into their security people, process and technology.”
Outdated approach to retail security
Every organisation the processes credit card numbers with point of sale terminals that are connected to computer networks should assume that their network has already been targeted or will be targeted in the near future, according to Tom Cross, director of research at Lancope.
"Organisations that handle payment cards need to look at their exposure to attack, as compliance with industry standards does not necessarily equate with security," said Cross. "They also need to start looking inside of their networks to see if they can detect compromises already in progress. Many organisations lack the tools and processes needed to detect attacks once they've bypassed the perimeter. That's an area that needs greater emphasis from information security programs."
[Updated: 05.09.2014, 10:00am BST]