The breach in payment card systems Essay
On September 8th , 2014, Home Depot (HD) released a statement indicating that its payment card systems were breached. Criminal hackers gained access to some 56 million Home Depot customer credit, debit cards (WSJ).
How/why did it happen? Discovery, fault?
Home Depot hack was similar to Target store. Hackers used credentials stolen from a trusted third-party vendor to break into their perimeter network. Hackers then used vulnerability in Microsoft Windows to gain access to 7,500 self-checkout lanes (Point of sales terminals). Home Depot did install the patch to fix vulnerability but it was it was too late . The hackers targeted self-check lanes as computer system clearly identified them as payment terminals while other POS terminals were just numbered (kerbs, WSJ).
Multiple banks first noticed the breach. Banks started seeing massive sale of stolen credit and debit in the cybercrime underground network. "The malicious software installed on the self-checkout terminals lurked undetected for five months". The hack might have gone unnoticed for much longer duration if the hackers hadn't put batches of stolen credit-card numbers for sale. Home Depot soon acknowledged it's working with law enforcement agencies and bank to investigate suspicious activity (kerbs, WSJ).
Before Home depot could fully complete the investigation, Banks J.P. Morgan Chase and capital One Financial Corp started pre-emptive re-issuing card as it affected millions of their customers (WSJ).
Include a brief timeline of major events (3-5 dates).
Sept 2nd - The breach first noticed by multiple banks. Also Secret Service had found a "batch of suspicious credit-card numbers for sale in an online hacking forum known as Rescator" (Fortune).
Sept 8th - Home Depot confirmed breach on Sept. 8
April 2014 Hack started around this time as HD started offering free credit monitoring and identity protection to customers who shopped there since April. HD also acknowledge it been going on for five months.
Brand HD brand was not tarnished as much as Target, which had similar breach few months ago. Target breach occurred around holiday season and got lot of bad press. HD came around September, which is lean season for home improvement, which helped in protecting their brand.
Customer confidence Customer confidence was not affected, it might be due to 'data-breach fatigue'. Consumers are tired of hearing and dealing with the breach phenomenon. Unlike Target, HD doesn't have to lure customer with discounts or promotions to its store.
In January 2014 Home depot has created a detailed playbook on how to respond to a hack based on lesson learned from Target. It contained "specific media talking points to address a various scenarios, sample letters to customers and law enforcement, and task lists outlining executive responsibilities". Playbook probably played a part in protecting brand and customer confidence along with quick response (WSJ).
Regulatory HD disclosed only need to know basis detail about breach, only what is required by regulatory need. Many weak controls for PCI had to be fixed. The company "implemented enhanced encryption of payment data in all U.S. stores" (homedepot).