Home Depot Data Breach Exposes Our Growing Complacency
When Target suffered a data breach back in December of 2013, you couldn’t look at a news source without seeing a new story about it. Yet when the Home Depot data breach was revealed recently, it received almost a ho-hum reception in the news. This, even though, it was the biggest data breach in retailing history and has compromised 56 million of its customers’ credit cards! It seems we have come to expect these data breaches to the point where we have become almost complacent.
Consumers, like the companies that breach our data, have become apocalyptic zombies, staring unquestioningly forward as we are attacked from all sides.
Even scarier is that it appears the retailer itself had become complacent. Former members of Home Depot’s cyber security team said the company was slow to respond to early threats and only belatedly took action. It used outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers. These are security oversights that most companies eliminated 5 years ago!
Another issue is that Home Depot performed vulnerability scans irregularly and often scanned only a small number of stores. The former employees say that more than a dozen systems handling customer information were not assessed. Home Depot has defended its actions saying that they have complied with industry standards since 2009 and those standards included an exception from scanning store systems that are separated from larger corporate networks.
This brings up a great point: Compliance with laws doesn’t equate to security for customers. And customers leave because of security breach – they could care less about compliance mumbo jumbo.
Yet another smudge on their record is they hired a security engineer, Ricky Joe Mitchell, who had been fired from his previous job. In April, he was sentenced to four months in prison for disabling the computers for a month at that former employer.
After the Target breach, Home Depot brought experts in from Voltage Security, a data security company that introduced enhanced encryption that scrambled payment information the moment a card was swiped in some of its stores. However, by that time it was too late; hackers had been stealing millions of customers’ card information and had gone unnoticed for months. The rollout of the company’s new encryption was not completed until last week.
Home Depot has just become a perfect case study of all of the ways that a corporation can fail to protect itself from breach. They make Target look like rocket scientists. In the meantime, those of us who are customers continue to pay their price for their ignorance and inability to take responsibility for their data.
John Sileo is an an award-winning author and keynote speaker on cyber security and data breach. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.