On September 8 Home Depot confirmed that it had joined the growing ranks of American companies targeted by a cyber-attack - and that the customer data of approximately 56 million users had been compromised.
These hacks are nothing new, with high-profile retailers like Target, Neimen Marcus and Victoria's Secret falling victim to cyber-attacks in the past year. In addition to retailers, organizations that customers generally assume to operate with the highest levels of security protocols - like JP Morgan Chase - have been subject to their own cyber-attacks.
But the world's largest home-improvement retailer, with 1,977 stores in the United States and 180 in Canada, can now also lay claim to the dubious honor of being the company responsible for allowing one of the largest-ever data breaches on record.
What happened? Home Depot gets a visit from DIY cyber-criminals:
Using custom-built malware to avoid detection, cyber-criminals were able to lift the names, credit card numbers, expiration dates, cardholder verification values and service codes for approximately 56 million customers who made purchases in Home Depot stores between April and September of 2014. Stores in Mexico, online shoppers to both HomeDepot.com and HomeDepot.ca, and customers who paid in store by check were not affected by the malware. Personal identification numbers were also not found to have been compromised.
The company claims that it was alerted to a potential breach the morning of September 2 by law enforcement officials and banking partners who had noticed unusual activity connected to the company's payment systems. The company confirmed the possibility of a breach later that day - hours after investigative reporter Brian Krebs broke the story of the potential breach on his blog. An investigation confirmed that the systems had in fact been compromised - something Krebs had noted was likely after an underground cybercrime outlet dumped a massive number of stolen credit cards on the market that appeared to be linked to zip codes where Home Depot stores were located.
The malware was eventually removed ten days later and it appeared to be unlike any other used in previous attacks, according to the various security partners involved in the investigation.
What makes this hack interesting? A one-stop shop for the latest in criminal activity:
Credit monitoring and fraud protection
The CEO public apology and taking responsibility
New security measures
A criminal investigation
In a surprise twist, it appears the cyber-attack on Home Depot may have been politically motivated and not just a means-to-an-end-theft, although the investigation is ongoing. Krebs has noted that those responsible for the Home Depot hack may have been protesting the US and European sanctions against Russia for its aggression against Ukraine - the stolen batches of credit cards were named "American Sanctions" and "European Sanctions."
Supporting this theory is that Western sanctions against Russia were enacted around mid-March and the malware is reported to have been active since April.
As political activism moves increasingly online with collectives like Anonymous rallying around various causes, these sophisticated, politically-motivated attacks by international cyber-criminals could herald a new era of cyber-crime that goes beyond just identity theft.
What's Home Depot doing to address the breach?
Like other retailers such as Target that were hit with similar breaches, Home Depot is offering free identity protection, including credit monitoring for one year to all customers who may have been affected. Customers aren't held responsible for any fraudulent charges, and the company advises any customer who believes they have been subject to a fraudulent charge to contact their fraud resolution services.
CEO Frank Blake apologized on behalf of the company to Home Depot customers in a press release saying the company regrets "the inconvenience and anxiety this [hack] has caused" while reassuring customers they would not be held liable for any fraudulent charges.
In addition to addressing the direct fallout of the breach by helping the customers affected, Home Depot says it has now fixed the issue that led to the hack. It has also enhanced its payment encryption for US stores via a new security initiative provided by Voltage Security Inc. Canadian stores (which already use the more secure "Chip and PIN" technology being rolled out to US stores by the end of the year) will have to wait until early 2015 for their enhanced encryption. Home Depot states that this "major payment security project," which takes payment information and scrambles it to render the information useless to hackers, will offer significant new protection for its customers.
While the breach has now been fixed, the criminal investigation is ongoing and involves various law enforcement agents, the secret service, and a number of security firms.
What other retailers can learn from how Home Depot handled the attack:
One of the potential positive takeaways from the Home Depot hack is how it was discovered relatively quickly after just five months - and just hours after the compromised credit card information was put up for sale online. While Target's high profile breach was discovered after just a few weeks, by comparison the Heartbleed encryption bug operated undetected for more than two years, and the recently discovered Bash Bug (also known as Shellshock) is a programming flaw that's existed in system software that's been around since 1989.
Nevertheless, the company is already subject to class action lawsuits filed in both the US and Canada which allege that the retailer failed to protect personal information and did not warn consumers about the breach in a timely manner.
While the fact that Home Depot's cyber-attack continued undetected for more than five months is nothing for the company to be proud of, and while Home Depot itself didn't discover the hack but was alerted to it by outside parties, the way it reacted swiftly to address the hack shows that it's learned from the mistakes of previous organizations when dealing with a potential security breach. JP Morgan Chase, for example, waited months after discovering its website had been hacked to alert the half-million holders of the bank's compromised prepaid cash cards - leaving customers upset about the bank's lack of communication and action.
From the time the potential breach was discovered on the morning of September 2, according to Home Depot's timeline, the company waited just a few hours before alerting the public and opening an investigation. Once the breach was confirmed Home Depot issued a press release and updated its website, giving customers information about the breach and what to do about it. Ten days later the breach was fixed. The subject of a massive cyber-attack, Home Depot's response, while not perfect, is something other companies will learn from moving forward.
The verdict:
The fact that the cyber-hackers used custom-designed malware to attack the Home Depot systems is a sign of the increasingly sophisticated techniques criminals are employing to sneak around standard security protocols. Companies can no longer afford to be satisfied with normal security features that have worked in the past. Additionally, companies cannot afford to wait until the existence of a previous or ongoing cyber-attack is revealed by someone outside the company - in Home Depot's case by journalist Brian Krebs.
As hackers become more and more creative companies must ensure their data is protected with the most up-to-date security features available. If current trends continue, most companies won't need to plan for whether a cyber-attack will happen, but plan for what will happen when it does.
More...