Home Depot is reporting that it could be the point of origin for a massive credit card breach. Multiple banks, correlating compromised accounts, hint that the large home improvement retailer’s 1,977 US stores could have been compromised as far back as April. If true, it could easily dwarf the Target breach last holiday season.
So what does this mean to consumers and merchants? Are big box stores (presumably with ample security budgets) at a greater risk than smaller chains, regional retailers, and mom and pop stores? One thing the security professionals seem to agree, hackers will continue to attack merchants, because it is lucrative. Credit cards can be monetized fairly anonymously and easily by selling them on black-market web sites. As such, until the larger merchants can get a handle on security they will be aggressively targeted, and once they shore up their security controls, the target becomes the smaller chains, and then the nefarious hackers will continue down the stack until it is no longer lucrative – or these security holes are somehow patched. Is that to suggest, smaller chains are not targets today? No, as we have to assume there are many coordinated hacks hitting merchants of all sizes, but at least for now the more sophisticated coordinated attacks are targeting the larger data stores.
Consumer impact?
Little, at best. Consumers should already be monitoring their purchases via monthly statements, online, and text messaging. In other words, continued monitoring and due diligence are strongly recommended. If consumers discover fraudulent activity and report in a timely manner, card issuers typically make them whole. Consumers who never look at their statements should use this recent hack as an incentive; they just might find Neiman Marcus, Target, UPS, PF Chang, AND Home Depot charges they never made. Lessons learned.
National Chain impact?
Clearly they are a target. The question is no longer, “If they get hacked,” but “When will they get hacked.” It is crucial to revisit your security program, make sure multiple effective security layers are in place, test those security controls often, and revisit the Incident Response Program (IRP). Frequent education and awareness trainings for your end users are also key factors in identifying suspicious activity and, most importantly, effectively responding to it quickly. If you do get hacked or notice unusual activity, minimize the damage and recovery quickly by invoking a thorough, tested, comprehensive IRP. Better yet, be proactive – hire security consultant to pen tests you security controls and test your IRP concurrently.
Mid-Tier merchants and beyond impact?
Hackers of late seem to target the larger chains because that is where the larger credit card repositories reside. But less coordinated hackers may be targeting these retailers now. Assuming the large coordinated hackers are not brought to justice, they will likely continue down the stack placing smaller merchants in their cross-hairs. It is time to also revisit the security program with the same vigor as the big box stores, including a risk assessment, to help spend limited security dollars wisely.
Cybersecurity theatre is expanding, clearly the big box stores offer larger more lucrative data stores to harvest, but they also typically more layers of security. But since the big box stores are being hacked, it suggests insufficient security, significant sophistication of the hackers, or both. Provided this continues to be lucrative and there is no reason to believe it will not, expect big box stores to continue to be targeted. Also, expect new momentum for card issuers to expedite the migration to “chip and pin” credit card solutions, eliminating the magnetic stripe. This aligns well with European solutions, but not a panacea.
In short, the best way to protect your organization from being the headline of the next data breach (we all know another is right around the corner) is to create multiple, defensive layers of security, monitor your data for suspicious (start listening to your systems), have a strong IRP implemented and finally frequent end user education and awareness trainings. By creating a holistic security program that reaches and educates all users, your organization will be better equipped to defend against attacks and respond more efficiently.