Home Depot was about nine months into a security initiative to protect customer information against hackers when the company was notified of a data breach on the morning of September 2nd 2014.
With the help of a third-party vendor’s username and password, hackers had gained access to the retailer’s payment data systems and deployed custom-built malware designed to evade detection by anti-virus software.
Data from about 56 million payment cards that customers had used at US and Canadian Home Depot self-checkout registers from April to September 2014 were at risk of being compromised, according to investigation findings released by Home Depot. Also, the hackers stole 53 million customer email addresses for the potential use in email scams that plumb for sensitive personal information.
The Home Depot data breach, the latest in a string of cyber-attacks large US-based retailers have made public in the past two years, was particularly frustrating because Home Depot was in the process of enhanced encryption of customer payment data, Kelly Barrett, CPA, vice president for internal audit and corporate compliance at Home Depot, said during the fall 2014 Enterprise Risk Management Roundtable at North Carolina State University’s Poole College of Management.
Barrett said that having started the security initiative allowed Home Depot to respond much quicker and more effectively.
In the US, Home Depot completed the customer payment data encryption September 13th 2014. In Canada, it is scheduled to be done early this year. The company also accelerated the introduction of chip-and-PIN technology developed by Europay, MasterCard, and Visa that adds layers of payment card protection, and offered free identity protection services, including credit monitoring, to customers who used payment cards at a US store from April to the end of 2014, according to the company.
Still, Home Depot faces at least 44 civil lawsuits in the US and Canada because of the data breach, the company reported November 25th 2014 to the US Security and Exchange Commission.
Cyber-attacks have become commonplace
Costly cyber-attacks have become so frequent across industries that cyber-security is top of mind among executives and customers worldwide, surveys suggest.
Forty-eight per cent of respondents in PwC’s global 2014 Annual CEO survey said the perception of cyber-crime risk to their business has increased, up 9 percentage points since 2011. A Deloitte survey of CFOs in Canada, the US, and Mexico found that cyber-security was a top priority for 74% of respondents.
Point-of-sale (POS) intrusions are particularly common in the retail and hospitality industries, but the health-care sector is also at risk, according to Verizon’s 2014 Data Breach Investigations Report, which is based on an analysis of more than 63,000 incidents in 95 countries.
Nine common attack patterns
The Verizon research found that nine types of cyber-attacks accounted for 92% of the incidents that occurred in the past decade:
Crimeware. The public sector, utilities, manufacturing, and information industries are particularly at risk of malware that compromises systems such as servers and desktops. To make it harder for crimeware to get in, patch anti-virus programmes and browsers, avoid Java browser plugins as much as possible, use two-factor identification, and implement configuration-change monitoring.
Insider and privilege misuse. Misuse of computer access privileges is widespread among industries and within companies. To better protect your data, find out who has access to every aspect of it, review user accounts, set up controls to watch for data transfers out of the organisation, and publish anonymised results of audits.
Physical theft and loss. The public and health-care sectors are threatened by the loss or theft of laptops, USB drives, or printed documents. To prevent theft or loss, encrypt devices, back up data regularly, lock down IT equipment to immovable fixtures, and store sensitive documents in secure areas.
Web app attacks. Utilities and companies in the information, manufacturing, and retail sectors face risks from web application attacks. To prevent misuse of stolen credentials or exploitation of vulnerabilities, use two-factor authentication, consider switching to a static content-management system, lock accounts after repeated failed login attempts, and monitor outbound connections.
Denial-of-service attacks. The finance and retail sectors are particularly at risk of being attacked by botnets and powerful servers trying to grind business operations of systems and applications to a halt. To fortify against malicious traffic attacks, ensure that servers are patched promptly, buy a small backup circuit and segregate key servers, test your anti-DoS service, and make sure key operations teams know what to do in case of an attack.
Cyber-espionage. Professional services, transportation, manufacturing, mining, and the public sector are popular targets. To protect against breaches, patch software vulnerabilities, update anti-virus software, train users to recognise and report danger signs, and keep good logs of system, network, and application activity.
POS intrusions. Retail and the hospitality sector are particularly at risk. To reduce the risk, limit remote access to POS systems by third-party companies; enforce strong password policies; do not allow staff to use POS systems to browse the web, check email, or play games; and use two-factor authentication.
Payment card skimmers. Banks, retailers, and hospitality companies are particularly at risk of skimmers’ reading payment cards as customers pay. To prevent the installation of skimmers on, for example, petrol pumps or ATMs, use tamper-resistant terminals, train employees to spot skimmers and recognise suspicious behaviour, and use tamper-evident controls, such as seals over gas pump doors or automated video monitoring.
Miscellaneous errors. Industries that deal in information dissemination are threatened by security mistakes such as accidentally sending private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely. To minimise such mistakes, implement data-loss prevention software, strengthen controls on publishing, and train staff on asset disposal.
Related CGMA Magazine content:
“Global Cyber-Attacks Up 48% in 2014”: The number of reported information security incidents around the world rose 48%, according to PwC’s The Global State of Information Security Survey 2015.
“Nine Ways to Bolster Data Security”: Information security consultant Florian Stahl urges companies not to underestimate cyber-threats and provides tips on protecting data from internal and external actors.
“Cyber-Security: How Big Is Risk to Small Businesses?”: Small businesses often lack the resources to maintain a secure IT environment and may falsely assume hackers attack only large organisations. Some simple steps can help small businesses protect themselves against cyber-risks.
—Sabine Vollmer (firstname.lastname@example.org) is a CGMA Magazine senior editor.