The Home Depot is the latest retailer to feel the sting of a data security breach. The American home product retailer announced last week that more than 53 million customer email addresses in addition to payment card information had been compromised in a hack attack. The attack will cost Home Depot more than $62 million and is likely to cost much more; the Boston Business Journal reported on 10 November that three New England men were filing suit against the retailer as a result of the data breach.
A request for comment from the Home Depot resulted in a reiteration of the facts spelled out in a recent press release. Following several weeks of investigation, the Home Depot revealed that the criminals used “a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network,” but these credentials alone did not provide direct access to the company’s point-of-sale devices. In addition, the statement noted that elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada were then acquired by the hackers.
“Beyond implementing chip and PIN technology, retailers have a long way to go when it comes to implementing appropriate detective security controls.” – Sutton
The Home Depot is certainly not the first retailer to face the consequences of a data breach; Target was hit in late 2013 and a number of other big name American retailers have also had data breaches. Beazley, a data breach insurer, has just completed an analysis of 1,500 data breaches it has serviced since January 1, 2013and found that incidents of breaches caused by malware and hacking are on the rise.
According to Beazley, 864.2 million personal records have been breached in the U.S. since 2005 and 56 percent of those breaches are attributable to malware or hacking
In addition, Beazley noted that 18 percent of U.S. Internet users have reported having had personal information stolen following breaches of online privacy.
The need to protect consumer data is becoming ever more vital in an increasingly vulnerable digital world. Ken Munro, Senior Partner at ethical hacking firm Pen Test Partners, noted that, according to various sources, the Home Depot attack was enabled by putting quite specific malware onto the network. Munro wondered how the tool had bypassed the corporate anti-virus measures.
In Home Depot’s statement, it was noted that the malware used in the attack had not been seen in any prior attacks and “was designed to evade detection by antivirus software, according to Home Depot’s security partners. As the company announced on September 18, the hackers’ method of entry has been closed off and the malware has been eliminated from the company’s systems.”
Munro said: “However the malware was delivered, it still begs the question ‘how did the attackers capitalize on it so easily?’, as the hackers ‘were able to move throughout Home Depot’s systems and over to the company’s point-of-sale systems as if they were Home Depot employees with high-level permissions’, according to those briefed on the investigation.”
Munro explained that that question is one that many organizations fail to account for, even when doing the most sophisticated threat modeling. “We find that the migration and pivot from the compromised host is almost invariably simple stuff – patches and passwords,” he said.
Munro added: “Home Depot, and anyone else for that matter would be well advised to ensure they have got these basics covered.” The questions to ask, Munro said, are: “Is our password policy truly robust” and “Can we trust the efficacy of our patch management?” “My gut feeling is that many organizations will find themselves lacking,” he said.
Tsion Gonen, Chief Strategy Officer at SafeNet, said that this is yet another breach where hackers are not only targeting financial information, but also personally identifiable information like email addresses that consumers hold dear.
“Security is only as strong as your weakest link and in this case it wasn’t even Home Depot but one of its vendors. Relying on simple passwords is a mistake,” he said. “This massive breach reinforces why more companies need to implement multi-factor authentication not only for their own employees but for third-parties that access their data and systems. Unfortunately, only a third of companies are doing this today.”
Julian Waits, Sr, president and CEO of ThreatTrack Security, said: “It’s come to light that this breach was initiated through a third party vendor that was connected to Home Depot, which is a yet another reminder that even those organizations that have deployed strong cyber defenses within their own operations still need to carefully vet the security practices of any partner with access to their data. A third party may have been the weak link, but consumers won’t appreciate that nuance when they decide who is at fault.”
Waits added: “The Home Depot breach investigation has revealed another layer of the onion that is perhaps more troubling than the initial loss of credit card information. The fact that 53 million customer email addresses were stolen is significant, as email remains the top threat vector through which hackers launch attacks.”
He explained that through social engineering and clever phishing schemes, unsuspecting customers could be tricked into giving away much more than their credit card information in the coming months.
Robert Siciliano, identity theft expert with BestIDTheftCompanys.com, said: “Many retailers are taken by surprise due to the fact that their systems are not properly segmented. They failed to see how other servers on their networks could be hacked and used as bridges to access other sensitive data. With this new knowledge, they will work towards a more secure network.”
, said that while the full scope of the breach remains to be seen, given the number of Home Depot stores and the volume of daily transitions, it is possible that this will rival the Target breach in terms of impact.
Sutton said that these breaches could have largely been avoided had US retailers adopted the ‘chip and PIN’ technology mandated in debit/credit cards in most industrialized countries. “The technology has not been widely adopted in the US primarily due to lobbying by retailers who were concerned about the cost of implementing the technology,” he said. “Retailers are now seeing first hand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach.”
Sutton noted with concern that in virtually all of the breaches that over the past year, the attack was almost always uncovered not by the retailer, but by payment processors or law enforcement officials after detecting anomalous transaction patterns and generally after card data has been stolen for weeks or months.
“Beyond implementing chip and PIN technology, retailers have a long way to go when it comes to implementing appropriate detective security controls that would mitigate the damage from these attacks by identifying them as quickly as possible should they occur,” he said. “It is concerning that gigabytes of credit card data can be siphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to.”
Catalin Cosoi, Chief Security Strategist at Bitdefender, said that it is not possible to prevent such attacks, however, it is possible to make them highly unlikely to succeed. “It is also possible to limit the extent of possible damage that any given successful attack can cause. For starters, deploying anti-malware protection to payment terminals should be a no-brainer, as should encryption and compartmentalization of access to credit card and other customer data,” he said.
Perhaps more significant than the financial hit for Home Depot, is the potential damage to reputation. “The reputation hit to a brand can be very hard to repair, especially with so many consumers directly affected by a breach,” Cosoi said.
He advised that good first steps to addressing the issue would be communicating breaches as soon as they are found and providing help for customers to safeguard their money and identities in the face of compromise. He added that a credible and public initiative, like that implemented by Microsoft, to secure systems and data should be implemented.
It is too soon to tell where this leaves the Home Depot, Cosoi said. “Worst-case, they’re looking at a class-action lawsuit from affected cardholders on top of any possible fines and probation time resulting from non-compliance with PCI DSS, should such non-compliance be proven,” he said.
Headline photo courtesy Ildar Sagdejev, wikimedia under cc license