Possible data breach at Home Depot highlights retailers’ vulnerability
Security experts say they never can be completely protected
The possible data breach at Home Depot Inc. that came to light this past week has raised anew the question of whether retailers can prevent — or at least do more to stop — hackers from swiping customer information.
The home improvement chain said it was working with law enforcement, banking partners and security agencies to investigate “unusual activity” but as of Friday had not confirmed whether a breach has occurred.
On Tuesday, security journalist Brian Krebs reported on his website that Home Depot may be the source of a “massive” trove of debit and credit card information that went on sale in the “cybercrime underworld.”
Home Depot spokeswoman Paula Drake said Wednesday that “our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning. … There is no higher priority for us at this time.”
If payment data were stolen, Home Depot would join a pack of other companies — including Michaels, Neiman Marcus, P.F. Chang’s and Target Corp. — that have been targeted by hackers who made off with debit and credit card information from customers.
Security experts say large companies can never completely shield themselves against cybercriminals, but many can improve their odds by focusing more attention on closing loopholes in their system.
“The reality we live in today is any company is bleachable,” said Aleksandr Yampolskiy, chief executive of SecurityScorecard Inc., which rates businesses on the level of their security. “If someone is determined enough, they can hack into any company. And for the biggest companies, it’s nearly impossible to secure all of the weakest links.”
As a safeguard, some U.S. retailers have said they will adopt cards with embedded chips that many other countries use in place of cards with magnetic strips that store personal information, which can be more easily counterfeited.
In the past, the high cost of this EMV system — named for its developers: Europay, MasterCard and Visa — has prevented wide adoption by U.S. companies. Instead, credit companies created the Payment Card Industry Security Standards Council in 2006 to push for better protections against consumer data theft.
Many hackers have targeted U.S. companies because they make easier targets than their European counterparts, security analysts say.
“The U.S. has not implemented chip-and-pin, so it’s the low-hanging fruit,” said Nick Economidis, an underwriter at Beazley, which provides insurance for breach response. “There seems to be a general consensus a lot of that fraud has been moved to the U.S.”
But implementing EMV will take years, and some retailers are balking at spending the billions of dollars it will take to replace their current point-of-sale technology. In the meantime, many retailers aren’t doing all they can to prevent hacks, experts say.
Yampolskiy of SecurityScorecard said his company has given Home Depot a C rating for its overall security. Wal-Mart Stores Inc. and Costco Wholesale Corp. both have B ratings.
Home Depot takes about 1.3 days to clean up malware in its system, compared with the retail industry’s average of one day, he said. Hackers have been chattering online about vulnerabilities on the Atlanta retailer’s website since 2008.
“All the signs were there that they weren’t doing enough for security,” Yampolskiy said.
Krebs, who broke the story of the Target data breach last year, said Wednesday that the latest apparent breach involves “nearly all” of Home Depot’s stores around the country and may have started as early as April.
Card data that began popping up at the cybercrime store Rescator on Monday indicated a big U.S. retailer had been breached, Krebs wrote. Rescator was a prime digital storefront for peddling stolen payment information after the hacks at Target, P.F. Chang’s and Sally Beauty Holdings Inc., Krebs said.
Banks have indicated the Home Depot breach probably began in late April or early May, Krebs said, meaning the hacking could have gone on for longer than the one at Target.
“The Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks and resulted in the theft of roughly 40 million debit and credit card numbers,” he wrote. “If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target.”
To guard against hackers, retailers must pay close attention to vulnerable points, security analysis said, such as point-of-sale systems, malware and the security of their third-party suppliers.
Hackers are constantly scanning and probing companies for weaknesses in their systems, and they tend to go after those that are most vulnerable, Beazley’s Economidis said.
Hackers are like “a couple of drug addicts walking through a parking lot looking for cars with the window open,” he said. “When they see one, that’s the car they want to target.”
Constant vigilance is key, and merely complying with current industry protocols is not enough, experts said. Many hackers are part of criminal organizations that are looking to make a huge score by stealing personal data.
“It’s always a cat-and-mouse game,” Yampolskiy said. “Whenever new security is introduced, hackers always find a way around.”