Home Depot data breach could dwarf Target’s
Home Depot confirmed yesterday that its POS systems were compromised by malware that may have begun collecting information on the chain’s customers going back as far as April.
News of a possible breach first became public with a Krebs on Security article, which reported multiple banks had found evidence pointing to a breach at the home improvement retailer.
Home Depot confirmed its systems were breached at nearly 2,200 locations in the U.S. and Canada. It is working with the Secret Service, banks and security firms Symantec and Fishnet Security to address the situation.
At this point, Home Depot says it has not found evidence that any customer PIN numbers have been compromised. In a press release, it said it was taking aggressive steps to protect its customers’ information. It has not, however, said its data has been totally secured. The chain is offering free identity protection services to any customers who used a credit or debit card from April 1 on.
"We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," said Frank Blake, chairman and CEO, in a statement. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts."
While it has yet to be confirmed by Home Depot or law enforcement authorities, the Krebs report suggests a possible link between this breach and the one that compromised Target’s system last year.
According to Krebs, Home Depot’s breach could be larger than Target’s in 2013. Over a three-week period, criminals gained information on roughly 40 million cards at Target. Home Depot’s system appears to be compromised for a much longer period of time.
The same criminals behind the Target breach, believed to be from Russia and the Ukraine, appear to be responsible for the attack on Home Depot. According to Krebs, stolen cards from the group are being offered for sale as either "American Sanctions" or "European Sanctions" in an apparent payback for steps taken by Western nations for Russia’s illegal annexation of Crimea and its support for separatists in Eastern Ukraine.
Discussion Questions
How will the data breach at Home Depot affect its business going forward? What is your evaluation of the chain’s response to date?
I stand by my statement in January that data breaches would be the big story for 2014. It does not appear to have the blowback of Target’s that constantly seemed to grow in scope. But it’s early.
It’s hard to know whether consumers have become numbed to data breach stories, and therefore Home Depot will take a smaller sales hit than Target. Part of the issue with Target was its visibility, the timing during holiday season, and the former CEO’s decision to describe the possible reach of the problem as broadly as possible—against the advice of his own team. Home Depot seems to be taking a more low-key approach to the problem, and I do expect them to catch some flak about why this happened after April when they had months to respond effectively to the issues at Target.
It will adversely impact their business, but how much depends on their response, which to date has been pretty well managed even though it’s 4-plus months after the issue arose. That’s the elephant in the room, the time between when the breach started, April, and when Home Depot recognized there was an issue, September.
I do think the season (or lack thereof) makes the problem less noteworthy. There is clearly some reason retailers hold off on announcing these breaches. Whatever that reason might be, it’s bad news for shoppers.
I believe the time has come for us to accept that data breaches are now a fact of life. And so efforts should be focused on catching criminals in the act, rather than protecting the perimeter. That’s why the ISAC’s put together by RILA and NRF are so important. With information sharing and putting their collective heads together, retailers will come up with better responses.
Once again, this breach proves that companies that are diligent about data security can be breached. The question is whether other retail companies will learn from this and seek out professionals to manage their corporate data assets. Retailers can no longer claim to be surprised by unfortunate news stories like this one.
Yet another retailer that did not take the necessary steps to protect its customers and then compounded the problem by not being completely transparent. I suspect Home Depot will be paying a price similar to Target: Tens of millions of dollars paid out, a drop in sales and a public black eye.
Retailers must take the threat of security breaches seriously. Large retailers are targets of organized, if not government-sanctioned, cyber attacks. The switch to chip-and-pin technology is much too slow. This attack, coming days before the announcement of the new Apple wallet built into the new iPhones, may dampen consumer interest in new payment systems. We might even see a swing back towards cash.
Perhaps retailers should not be the keepers of the data?
There will be an effect. But I doubt it will be to the level of Target. Home Depot seems to have gotten in front of this earlier than Target. What is somewhat confusing is they suspect it to be caused by the same criminal element. Yet, it is six months later and they are doing better at breaching than the law enforcement group is doing at shutting them down. Who will be next? And it looks like there will be a next.
I also stand by my statement that data breaches would be the big story of 2014.
Sounds like CurrentC and MCX are attractive—cards are currently stolen because they are universal and can be used anywhere. MCX make the card numbers exclusive to the internal network. The merchants are getting towards the inevitable conclusion that they need to be in charge and take ownership of the transaction process.
It is unfortunate, but data breaches are becoming common. Cyber-criminals continue to thwart the best efforts retailers make to maintain secure and safe transactions. This is just another data breach and shouldn’t impact business for Home Depot. They have been proactive to inform their customers. They are taking measure to confirm that PINs and other data are secure. There is a lot of history on how this situation has been handled by retailers who’ve had data breaches. So, it’s not hard for any company to see what has worked and not worked.
Data breaches aren’t the real issue for the consumer. If a bank robber gets into the vault but doesn’t take any money, all the robber did was break in. The real issue for the consumer is credit card fraud and identify theft. Retailers should be proactive and insure against credit card fraud and identity theft. Companies like AllClear ID, for literally pennies will insure customers. The most conscious take advantage of programs like these.
My suspicion is that more and more shoppers are beginning to think that there are two kinds of retailers, those that have been breached and those that will be breached. I think the shopper has developed fatigue around the issue in terms of choosing WHERE to shop, but may be less inclined to use credit/debit.
The response has been more muted than I would prefer—sooner and more open is better than sitting on it and being less transparent about it once they knew.
April through June is Home Depot’s Christmas season! This is as devastating as the Target breach in size, scope and timing.
This is definitely a sign of the times. Retailers are going to have to seek new ways to protect the information they collect from their customers that cannot be breached. The concern should be more about ALL RETAILERS finding new ways to collect AND protect from security breaches. And the “breachers” are doing this as payback for the U.S. position on the Ukraine and Crimea?! Mind-boggling. To mix my metaphors, this is only the tip of one iceberg to the soft belly by cyber-terrorism.
As for the chain’s response, nothing more or less can be done to assuage the public’s concerns, as it’s becoming so common, it probably numbs the customers from taking any action.
Data breach is becoming a common occurrence, like product recall. Most consumers assume the retailer and their bank/credit card company will take care of any issues that may arise. Home Depot may see a short-term decrease in sales, but not a long-term one.
The company’s response was weak by saying it may have been occurring as far back as April. A better response would have been definitive as to the time period, etc. The bigger question is, what are the credit/debit card companies and retailers doing, moving forward? Losses from these breaches is costing billions; new technology is required now.
Probably no effect. Most people just assume every retailer has a data breach and nothing becomes of it. Most companies probably never bring it up to their customers and make no mention of it.