Brian Krebs (https://krebsonsecurity.com) reported on September 2, 2014 that Home Depot, Inc. (HD.N) appears to have been the target of a massive debit and credit card breach involving nearly all of its U.S. stores. In this case as in the Target, Sally Beauty Supply, P.F. Chang’s and Harbor Freight, the first evidence of the hacking was when the stolen card information started showing up for sale in an online cybercrime store.
Krebs examined the zip codes given associated with the cards listed for sale and compared their locations with the locations of Home Depot stores. The zip codes are listed so that the criminals who purchase the hacked cards can steal locally, where they are less likely to be flagged by bank security systems.
As of this posting, Home Depot’s media relations team has only admitted a “possible payment data breach.” The special webpage set up by Home Depot explains:
We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately.
Like the breach reported about Albertsons, SuperValu, Inc., Cub Foods, ACME Markets Inc., Jewel Osco, Shaw’s, Star Market, Farm Fresh Supermarket, Hornbacher’s, Shop ‘n Save, Shoppers Food & Pharmacy, and Ab Acquisition LLC on August 14, 2014, the number of records may not be known for some time. See https://datalossdb.org for an updated list of breaches.
More Saving, More PI
Massachusetts’ identity theft law (MGL c. 93H, 201 CMR 17.00) was designed to protect Massachusetts residents from having their Personal Information compromised. Personal Information is commonly referred to as “PI” for short. The definition of PI under this law is simple and most certainly includes the type of credit card information that hackers are interested in.
It takes only three ingredients to make PI in Massachusetts: 1) first and last name or first initial and last name; 2) of a Massachusetts resident; and 3) some identifying information such as a credit card number, a social security number, a driver’s license ID number, a state-issued ID card, a credit/debit card number, a financial account number or similar identity information. This definition does not require that the PI holder have any password or security code associated with the financial account in order for the information to qualify as PI.
Aside from the security requirements of the payment card industry known as PCI, the Massachusetts law requires that companies handling credit card data and other PI institute a comprehensive written information security program or WISP. The compliance standards for a WISP are supposed to be more stringent as the company size, company revenue and the amount of Personal Information (PI) increases. The standards also require destruction or culling of PI that is not needed.
Bigger Should Mean Better
According to Reuters, Home Depot is currently valued at about $120 Billion. Under the logic of the compliance standards set forth in the Massachusetts regulations (201 CMR 17.00 et seq.), Home Depot should have the best information security available in the world. Moreover, the compliance standards specifically require “regular” monitoring and upgrading of information security safeguards.
How Can This Happen?
How can this happen again and again to the most sophisticated companies? The Massachusetts identity theft law is still the most rigorous in the country. When advising companies regarding the adoption of information security programs where those companies have operations in many states, the best practice is to make the program compliant with the strictest standards.
The Massachusetts law went into operation in 2010 and therefore Home Depot should have had a comprehensive WISP in place, not only for its Massachusetts customers but its Massachusetts employees (i.e., all MA residents with PI). The compliance standards also require that a WISP be reviewed at least annually.
It appears that the Target breach could have been avoided. It occurred when a hacker infiltrated a vendor’s computers with relatively unsophisticated malware. The vendor, a heating and air conditioning contractor for some of its stores, was given remote access to the Target computer network for the limited purpose of electronic billing. The malware jumped through internal safeguards and infected the point of sale (POS) systems, enabling the credit card data to be uploaded to the hackers. However, company officials were allegedly “asleep at the switch” when a number of internal security alarms were sounded, and failed to aggressively investigate. It will be interesting to learn in the coming weeks whether Home Depot made the same or similar mistakes.