The Home Depot Data Breach

1. The Home Depot hack: unprecedented in numbers

On September 8, 2014, The Home Depot, confirmed a data breach that will likely be the largest that has ever occurred in North America. According to the latest estimates, the hacker(s) misappropriated the credit card data of 60 million customers from The Home Depot stores in Canada and the U.S. since last April, although news of it only surfaced last week, implying that the breach went unnoticed for several months. Until this incident, the retail chain Target was leading the pack with respect to data breaches with 40 million credit cards affected by a system hack that took place in January this year. Meanwhile, the credit card data is sold in large quantities on the underground marketplace “Rescator” that has been called “the amazon.com for credit card thieves” by Mark Lanterman, the chief technology officer of a private computer forensic and security firm. Considering the fact that the tab for the Target breach reached USD 148 million in the second quarter of 2014 and continues to grow.  The Home Depot will probably suffer even higher costs that cannot yet be calculated.

© 2014 Colourbox

© 2014 Colourbox

2. The consequences: investigations, inquiries and lawsuits

Reportedly, the delayed disclosure of the security breach already triggered investigations by the U.S. Secret Service and several federal states have launched a probe into the matter.

But these are not the only consequences of the breach: in a letter to The Home Depot’s Chairman and CEO Francis S. Blake, Senators John D. Rockefeller IV and Claire McCaskill requested a briefing to the Committee on Commerce, Science and Transportation “regarding Home Depot’s investigation and latest findings on the circumstances that may have permitted unauthorized access to sensitive customer information”.

It was only a matter of days until the first lawsuit was filed by an Illinois resident who is now seeking compensatory and punitive damages as well as credit card monitoring services for a period of three years from The Home Depot. Meanwhile, The Home Depot is still trying to catch up with the fast paced reporting in the press and carrying out its own investigations.

3. New rules regulating IT security in the US and the EU

The Home Depot breach is only the largest in a row of similar incidents at Apple and other Fortune 500 companies, but it will undoubtedly give a boost to the draft Data Security and Breach Notification Act of 2014 proposed by Senators Rockefeller, Feinstein, Pryor and Nelson earlier this year. The draft Act asks for the introduction of new regulations by the Federal Trade Commission (“FTC”) that require companies to establish a process for identifying and assessing any reasonably foreseeable vulnerabilities in their IT systems, and monitor these systems for security breaches. It also requires the implementation of a process for taking both preventive and corrective action to mitigate any vulnerabilities and introduces an obligation to report any breach to the individuals affected and the Commission within 30 days after its discovery, or as promptly as possible. While these reporting obligations are modest compared to the reporting obligations that the latest draft version of the European Data Protection Regulation seeks to introduce (see our earlier post “The Top 8 issues all CIO’s, CSO’s and CPO’s should know about how to notify data breaches in Europe”), the call for regulating the way data breaches are dealt with by private and public entities in the U.S. shows the rising awareness of lawmakers that consumer data is increasingly at risk and must be protected against misappropriation. Some federal states such as New Hampshire have already implemented reporting obligations and have thus taken the lead on the way to notifying affected data subjects and authorities as a first step to mitigating the consequences of a breach.

The draft Data Security and Breach Notification Act of 2014 takes a novel approach to the security breach challenge by obliging the FTC to consult with the National Institute of Standards and Technology (“NIST”) within one year after enactment of the new law and issue rules or guidance to identify such security technology and methodology that can be used to render data unusable, unreadable or indecipherable for hackers who gain access to it. If such technologies are applied by companies processing personal data, the draft Act assumes that no reasonable risk of identity theft or fraud exists following a breach of security.

The positive effects of establishing universally accepted security standards should not be underestimated as they give companies processing personal data the much needed legal certainty that their systems and processes are compliant and that they will not be held liable should a breach occur.

The European General Data Protection Regulation takes a similar approach as it provides, in Article 30, that the European Data Protection Board, which shall be composed of the heads of the member States supervisory authorities and a supervisor, shall be entrusted with the task of issuing guidelines, recommendations and best practices about the technical and organizational measures that must be implemented by controllers and processors alike, and defining what constitutes the “state of the art” for specific sectors and in given data processing situations. It goes without saying that creating such standards will not be a one-off effort but a work in progress as technology keeps changing rapidly and no standardization body can rest on its laurels.

Contrary to the persistent but erroneous belief that the law must remain “technically neutral”, it is indeed, however, indispensable to create technical standards for defining which measures offer adequate protection from security breaches as this question cannot be left to the courts to decide.

The fact that the media report new breaches of varying severity almost every other day, suggests that the problem may originate in inherent security shortfalls of long established payment methods, and may persist in the future until we find and implement alternative ways to process payments both for brick-and-mortar and online stores. Whether the recently announced “Apple pay” system will indeed provide a solution for this challenge by generating one time keys for point of sales systems and requiring fingerprint authentication remains yet to be seen. But it is safe to say that the chain of security incidents will only be broken if lawmakers, payment service providers and retailers act in concert to stop cyber criminals in their tracks.

Andreas Leupold

(Thanks to Cédric Laurant for his comments.)

Share

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • Blog authors

  • Copyright notice

    © Copyright 2010-2014 "Information Security Breaches & The Law".
    All rights reserved, unless noted otherwise under each author's post, page or other material.
    If you would like to discuss licensing terms, contact us at: info [at] security-breaches [dot] com.

  • Enter your e-mail address here to follow this blog and receive notifications of new posts by e-mail.

  • The “Global Information Security Breach Professionals” Group on Linkedin

  • Wordpress Blog Stats

    • 42,252 hits
%d bloggers like this: