Introduction
Home Depot experienced one of the largest credit-card-compromises on 8th September 2014; when there was a data breach involving 56 million credit cards. An investigation was immediately started to explore the extent of damage and free credit service was offered to customers who used their credit cards to pay in the time span since April 2014. Their data incident response team claimed to monitor and investigate the case thoroughly and come up with appropriate solutions.
Case Summary
After Target data breach in 2013, this data breach at Home Depot in 2014 has been the largest one yet with a loss of data from 56 million credit cards as compared to 40 million from Target. The cybercriminals were able to gain access to the Point of Sale systems (POS) to steal the card data, which is exactly how the breach happened at Target as well. The culprits infiltrated the database and vendors environment belonging to Home Depot by making use of vendor’s logon details. They gained access to Home Depots corporate cloud via zero-day exploitation in Windows. On reaching Home Depot network, the attackers installed memory-scraping malware on more than 7500 self- checkout POS stations, eventually stealing data from 56 million credit cards. The virus also stole 53 million email addresses, which increased the risk of phishing exponentially. The stolen information on payment cards was sold on Rescator carder forum (Schwartz, 2014).
The breach was said to have commenced in April and was detected by Home Depot in September, as they received information about abnormal payment card activity from financial institutions and law enforcement agencies. The stolen cards were sold ranging from $9 to $50 each.
A combination of factors made Home Depots network vulnerable to this attack including the fact that they were using Symantec’s Endpoint Protection 11 anti-virus software to protect its POS network even though a newer version was introduced in 2011. Apart from that, it’s crucial to understand that attackers usually target anti-viruses and succeed in disabling them with ease especially if they know the type of malware installed. Hence it also depends upon the nature of the attack and whether the attacker got lucky with making it through the anti-virus software or he had specific information about it. Apart from that, Home Depot was in the process of strengthening their security as they had bought an update security tool to encrypt and protect card details when it was being sent over to the central server from the POS terminals. However, they were unfortunate enough to not implement it before the attack happened. This would have been beneficial against the memory-scraping malware. Updated encryption tools such as Chip and Pin cards doesn’t even save the credit card number into the payment terminal, hence saving them from the trouble at an initial level (Schwartz, 2014).
The data breach brought a significant setback to the company in terms of costs. It started with the banks claim to pay $2 per compromised payment card without even proving their losses. Home Depot paid at least $134.5 million to compensate Visa, MasterCard and a number of other banks. On the contrary, Home Depot had to deal with 50 lawsuits, paying $19 million in the process, out of which $13 million was given to the customers to make up for their losses and $6.5 million to subscribe them into one and a half years of identity protection facility (Stempel, 2016).
According to an analysis, the company will have to bear losses of about $10 billion in a span of ten years. An estimated cost of $176 per compromised record was calculated, covering expenses in different areas. An expected 6% fall in EBITDA in 2017 with a 4% decrease in the existing price estimate due to the breach in the data (Vinton, 2014).
Recommendations
With continuous advancement in technology and increased usage of credit cards, protection of data and credit card information has been in the discussions increasingly.
Point to point encryption is one of the ways which gives hope in providing security against hackers online. It includes encryption at the point of swipe when using the credit card. This happens before the data enters the memory, preventing it from being installed in the memory for good. On swiping the card, the data is encrypted inside a tamper-resistant security module, including the unique key for making the transaction. This data is later transferred to a hardware owned by the POS service provider, on another location. Here the card data is decrypted, and then encrypted again using the bank’s encryption key before being sent to the bank again, where the data is decrypted one again (Hawkins, 2015).
POS network isolation is another aspect that can be considered while exploring different security measures. The POS system should be properly segregated from the rest of the company’s corporate network. This can be done by installing private VLAN’s and including it with a network switch. Individual IP addresses should be assigned to each POS device within a given range. Isolating the network also helps to set up firewall specifications for a certain environment, more easily. A special firewall can also be set up just for the sole purpose of protecting the specific POS channel.
Protection and management of third-party vendor details is also an important aspect involved in ensuring, scams like those at Target and Home Depot don’t happen again and again. This was one of the ways through which the attackers gained an access to the specific corporate network of these giant retail stores. They first gained entry into a vendor specific environment, of which the retailers were also a part. This calls for strict measure to be taken while dealing with these service providers and allowing them the minimum amount of access to carry out their important tasks related to data transfer and management. They should not be allowed to have an access to the internal resources. Proper access I.Ds should be assigned to each and every employee, allowed to enter the cloud and every time an entry is made, a system to record it should also be installed. Monitoring of these account activities should be in order so that a close watch can be kept on all external resources.
Conclusion
Big retailers such as Home Depot and before that Target has been a victim of cyber-crime due to negligence. At least in case of Home Depot, a lesson should have been received from the case at Target and measure should have been taken to upgrade the security and an extensive plan should have been introduced to adopt modern ways to encrypt and secure data. Factors including outdated anti-virus software, delay in upgrading data encryption tools and loopholes in the management of third vendor credentials all lead to this data breach which caused the company billions of dollars and a significant number of lawsuits.
Unfortunately, in the near future, the threat towards data breach only increases as these cyber attackers become and smarter and the advancement in technology keeps happening. Strict, more serious measures need to be taken in order to protect data while it’s being collected, transferred and stored.
Several ways including usage of Chip and Pin cards, Mobile payments, point to point encryption and strict control of third party service providers can at least help reduce this risk. Specifically, Home Depot should introduce a recognized security control infrastructure. It should devote a special department especially for the development of a program to ensure that the third party vendor having an access to payment card details handle the information with responsibility and care. This department should also audit the account activities of these vendors in order to keep a check. They should run risk assessment drills to assess any potential threats, notice abnormal activity and address these issues before they cause any significant losses (Roman, 2014).
References
Hawkins, B. (2015). Case Study: The Home Depot Data Breach.
Roman, J. (2014, sept 8). Home Depot Confirms Data Breach. pp. Retrieved from: https://www.bankinfosecurity.com/home-depot-confirms-data-breach-a-7288.
Schwartz, M. J. (2014, Sept 16). Analysis: Home Depot Breach Details. Retrieved from: https://www.bankinfosecurity.com/analysis-home-depot-breach-details-a-7323
Stempel, J. (2016, March 8). Home Depot settles consumer lawsuit over big 2014 data breach. Retrieved from: https://www.reuters.com/article/us-home-depot-breach-settlement/home-depot-settles-consumer-lawsuit-over-big-2014-data-breach-idUSKCN0WA24Z
Vinton, K. (2014, sept 18). With 56 Million Cards Compromised, Home Depot’s Breach Is Bigger Than Target’s. Retrieved from: https://www.forbes.com/sites/katevinton/2014/09/18/with-56-million-cards-compromised-home-depots-breach-is-bigger-than-targets/