By Chris DiMarco
The incident underscores the risk of cybercrime not only for customers but for executives.
Rumblings of a breach of Home Depot’s information systems began in early September; however, the company was slow to reveal the extent to which customers were affected. After an initial warning from banks and a report from cybersecurity newshound Brian Krebs on Sept 2, confirmation of the incident was not released until almost a week later on Sept 8. Details of the breach were not made available by the company until Sept 18, when it announced that the cyberattack put payment card information at risk for approximately 56 million unique cards and that the malware linked to the attack was believed to be present between April and September 2014. Every store in North America is believed to have been involved.
With so many people involved, it can be easy to fault the home improvement giant with the glacial speed at which it gave out information. But Home Depot says that the investigation uncovering those details began on the same day as bank issued warnings and that the infection has now been contained.
The malware in question is believed to be similar to that used in the Target breach, which affected over 40 million customers in late 2013. The malware affects point-of-sale kiosks and checkout lines, and in the Home Depot case, may have specifically targeted self-checkout lines.
In response to the issue, Frank Blake, chairman and CEO of Home Depot has said, “We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”
Boards need to oversee cybersecurity risk says SEC official
Data security gets more attention following Target breach
Target’s cybersecurity event may have been preventable
Given the increasing frequency of massive data breaches like this, though, customer anxiety is no longer easily assuaged by increased security standards, free credit monitoring software and a promise to do better. That in turn manifests as anxiety for the C-suite. Following the Target incident, multiple high-level executives were terminated or stepped down for lack of proactivity in shoring up Target’s cyber defenses. While there has been no word yet on similar moves at Home Depot, it’s an inevitability that someone will need to pay the piper.
Even more worrisome for both customers and executives is a New York Times report out today that cites multiple former and current Home Depot employees who witnessed negligent customer data handling throughout its stores. According to that article, “several people who have worked in Home Depot’s security group in recent years said managers failed to take such threats as seriously as they should have. They said managers relied on outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.”
While experts have warned that cybersecurity should be a priority for corporations, the events of the last two years have proven that even considerable investment can be foiled by innovative hackers. And as the causality role call begins to look more like the average American’s weekend errand list, you can expect it to continue to be a topic of conversation,