Privacy Monday – September 8, 2014
Back to school, back to traffic jams … back to Privacy Mondays! Our look at bits and bytes and goofs and gaffes in data privacy and security
Home Depot Breach Update
It has been nearly a week, and The Home Depot has still not confirmed that it is the latest victim of point-of-sale hackers in what is potentially a massive data breach. The company has confirmed that it has been in contact with the U.S. Secret Service about investigation into a potential breach and Chief Executive Officer Frank Blake told investors at the annual Goldman Sachs Retailing Conference last Thursday that Home Depot and investigators were working around the clock to find a breach. He has yet to confirm that a breach has occurred.
The delay has engendered the filing of at least one purported class action law suit in the U.S. District Court for the Northern District of Georgia, Atlanta Division. The suit — filed last Thursday — alleges that Home Depot failed to meet its legal obligation to protect the putative plaintiffs credit card and personal information and failed to timely warn them that their information had been stolen or compromised. The complaint alleges that in “late April or early May 2014, computer hackers gained access to Home Depot’s POS data network and stole the personal financial information of hundreds of thousands, if not millions, of Home Depot’s customers.” None of these facts have been confirmed by the retailer and have only appeared in the security blog, Krebs on Security, as reported by “unnamed banking sources.”
And, the San Francisco Chronicle did some interesting reporting to advance the story, asking “is there anything retailers can do to prevent breaches? See an excerpt below:
Security experts say large companies can never completely shield themselves against cybercriminals, but many can improve their odds by focusing more attention on closing loopholes.
“The reality we live in today is any company is breachable,” said Aleksandr Yampolskiy, chief executive of SecurityScorecard Inc., which rates businesses on the level of their security. “If someone is determined enough, they can hack into any company. And for the biggest companies, it’s nearly impossible to secure all of the weakest links.”
As a safeguard, some U.S. retailers have said they will adopt cards with embedded chips that many other countries use in place of cards with magnetic strips that store personal information, which can be more easily counterfeited.
In the past, the high cost of this EMV system – named for its developers: Europay, MasterCard and Visa – has prevented wide adoption by U.S. companies. Instead, credit companies created the Payment Card Industry Security Standards Council in 2006 to push for better protections against consumer data theft.
Many hackers have attacked U.S. companies because they make easier targets than their European counterparts, security analysts say.
“The U.S. has not implemented chip-and-pin, so it’s the low-hanging fruit,” said Nick Economidis, an underwriter at Beazley, which provides insurance for breach response. “There seems to be a general consensus a lot of that fraud has been moved to the U.S.”
But implementing EMV will take years, and some retailers are balking at spending the billions of dollars it will take to replace equipment. And many aren’t doing all they can to prevent hacks, experts say.
Yampolskiy said his company has given Home Depot a C rating for its overall security. Walmart and Costco both have B ratings.
Home Depot takes about 1.3 days to clean up malware in its system, compared with the retail industry average of one day, he said. Hackers have been chattering online about vulnerabilities on the home improvement chain’s website since 2008.
WORTH READING FROM THE SUNDAY PAPER: Health Care Ramps Up to Fight Mounting Cybersecurity Risks
The Boston Globe reported yesterday in a front page feature article on the growing threat of cyberthreats to the health care industry. To get your attention: “It’s a war we’re in,” said John Halamka, the chief information officer of Boston-based Beth Israel Deaconess Medical Center and cochair of the Health IT Standards Committee, a federal group that advises the government.
Hackers have several reasons for targeting health records, including identity theft, financial fraud, and illegal drug use. The Globe noted, “the US Department of Health and Human Services has increased the incentive by cracking down on medical facilities that fail to protect patient data.” If you are in the health care industry or provide services to the health care industry, this should be required Monday morning reading from the C-suite to the front lines.