Pramod Dibble's Blog


The Home Depot gets itself hacked - The sorry state of cyber-security

03 Sep 2014 | by Pramod Dibble
Share this:

                It seems that The Home Depot has fallen victim to the same kind of attack that had Target and eBay headlining the news earlier this year. While it is still too early to quantify the breach, estimates suggest that this event is more extensive than the 100 million-customer Target hack, which cost the company upwards of $400 million and the CEO his job. While the magnitude of the breach is almost certainly greater than the Target incident, THD seems to be trying hard to manage the PR of the scenario better by notifying its customers “The financial institution that issued your card or Home Depot are responsible for those [any fraudulent] charges”. THD has been more vocal about which of its users were effected, and how they were effected, which may suggest that they’ve learned from past events of this type.

                THD has joined a group of companies which, under any other circumstances, would read as marquee names: Adobe, eBay, Target, Google, and Sony. These companies have all suffered massive data breaches over the last few years. The details are as follows:

 

  • 2014 – AOL, 120 million users’ email addresses were stolen and used to spam links to hazardous websites, which were then used for phishing and malware scams
  • 2014 – Global Payments, several company servers were compromised allowing access to 1.5 million credit card numbers, $700 million in fraudulent charges, and $110 million in repayments to credit card companies
  • 2014 – eBay, employee login credentials were stolen and used to access 150 million customers’ data over a several month period
  • 2013 – Target, incursion via an HVAC control line allowed hackers to access 110 million customers’ personal data, costing Target over $400 million
  • 2013 – Adobe Systems, lax password requirements allowed a hack of 152 million customers’ profiles, thought to be the largest volume hack to date
  • 2011 – Epsilon, the customer names and email addresses of about 50 of its 2500 clients were stolen causing over $200 million in damages (some Epsilon clients include Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, and Robert Half Technologies)
  • 2011 – Sony PlayStation, PlayStation database security compromised providing access to 80 million users’ personal and financial data, and costing $170 million
  • 2009 – Heartland Payments, spyware exposed 130 million users’ financial information, and costing the company $110 million to settle claims
  • 2009 – Dept. of Veterans’ Affairs, a contractor mistake was exploited, allowing access to the personal information of 70 million veterans

 

                These are the major data breaches that have hit the news over the last five years, but I would estimate that for every breach we hear about, there are ten that aren’t discovered or are handled without garnering significant media attention. Additionally, smaller volume data breaches are often much harder to detect, so while we may hear about the biggest breaches, they almost certainly make up the minority of the total data stolen.

In nearly all of these cases, the intruders were able to gain access because of lax security standards of the target organization. An employee may have clicked on a link in a suspicious email, neglected to adhere to robust password standards, or the network administrators may not properly restrict access to server hardware. Very few breaches involve hacking of a sophisticated nature, as so many organizations present themselves to hackers as low-hanging fruit. They fail to observe even the basics of cyber-security, so complex hacking tactics simply aren’t necessary.

The rhetoric is starting to sound tired; “we take our customers’ security seriously and will work with law enforcement to correct the situation”, just isn’t going to cut it in the 21st century. Implementing basic cyber-security standards is easy, cheap, and very obviously necessary. The major hacks of the next 12 months will be those organizations that don’t implement comprehensive security strategies now.

Comments: