Why retailers like Home Depot get hacked

Retailers like Home Depot, which recently suffered a major data breach, have known for years about vulnerabilities in payment systems, but have chosen to ignore them, experts say.

Home Depot decided only in January to buy technology that fully encrypts payment card data the moment a card is swiped, The Wall Street Journal reported Monday. The home improvement retailer launched the project in order to avoid a breach on the scale of Target's.

The breach at Target in December compromised 40 million credit-card accounts and contributed to the ouster of its chief executive officer.

Following several months of testing, Home Depot signed a multimillion-dollar contract with a security vendor in April, but by then, hackers may have already cracked the retailer's payment systems, the Journal reported. The company said it discovered it had been hacked in September.

While Home Depot has not said how many credit-card accounts were affected, experts speculate that given the size of its business the number of compromised accounts could be in the 10s of millions.

Hackers stole card numbers from Target and Home Depot using malware that scraped unencrypted data from the memory of their payment systems.

This exploitable vulnerability has been known for years, yet retailers chose not to upgrade their so-called point-of-sale (POS) systems, because of the cost.

"We have been recommending for years and years and years that people encrypt and tokenize at the swipe, and for years and years and years, they haven't done it," John Kindervag, analyst for Forrester Research, said. "The fact that the attackers are really good and fast is not an excuse.

In data security, tokenizing is the process of substituting card data with a random number that is useless to the hacker. The token often comes from an embedded chip found in new cards.

Apple plans to use such a system in the iPhone 6, so the smartphone can be used instead of a credit card.

Most readers used by U.S. retailers today take the card number in plain text from the magnetic stripe found on most debit and credit cards.

Eric Cole, a cyber-defense lead at the SANS Institute, said retailers have to approach security with the assumption that they will be targeted.

"Security has to be designed into the network and not just add-on components," Cole said.

For example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet.

In the case of Target, malware was planted in POS systems after the hackers stole the login credentials of a supplier that used another portion of the retailer's network.

"(The network) should be segmented, so if a compromise does occur, the amount of damage is contained and controlled," Cole said.

Also, retailers have to stop the practice of using credit-card data for more than just completing a transaction, Kindervag said. Card data is often fed into analytic systems used by marketers to track customer buying habits.

"There's a long held culture of using the credit card number as a way of analyzing the buying habits of consumers and projecting what they might be in the future," Kindervag said.

Retailers and the marketing people who work for them have to recognize that some data is "just too dangerous to have," he said.

Overall, retailers have to approach the avoidance of data breaches the same way energy companies view oil spills, Kindervag said. "It's the most costly thing that could happen to your business."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsdata encryptionsecuritydata breachsoftwareHome DepotTarget breachdata lossdata protectionTargetretail security

More about AppleForrester ResearchHome DepotSANS InstituteWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts