It’s not unusual when a major cybersecurity story is revealed over a holiday. Holidays themselves are prime time for cybercriminals because people tend to let down their guard at that time, and generally, fewer staff is on hand monitoring things. Of course, we also know that breaches can happen months before they actually make news. By revealing such breaches over the holiday, there might be some hope that people are too busy to take notice.
So, I wasn’t surprised to hear news about a major breach over Labor Day weekend. However, what was different this time around was the news of two huge security breakdowns. The bigger focus has been on the targeted cloud hack and the release of risqué photos of famous actresses. That story is the topic of conversation for just about everybody, from late-night talk shows and news programs to my fantasy football league draft (where I learned more about those photos than I ever wanted to know). And it is important to cover the security and privacy aspects of such a breach, so I do plan to discuss this and why businesses should worry in an upcoming blog post.
However, today I will discuss the lesser-known breach that was revealed over the holiday weekend – the Home Depot breach. It was a credit card breach that reportedly affected more than 2,000 stores. This breach, a number of experts have said, could be bigger than the Target breach, and yet, compared to Target (and to the iCloud hack), this breach is just another blip on the cybersecurity radar. An NPR writer blames it on breach fatigue. Over the past few months, there have been reports of many new IT security meltdowns, so at this point, it’s no big deal unless you can get some great jokes from it for late-night monologues.
However, if you run a business where credit and debit cards are used as a form of payment, you should care about the Home Depot breach for several reasons. First, it hurts customer service. As Tom Cross, director of security research at Lancope, said to me in an email:
These retail compromises can have a direct financial impact on consumers. Some banks issue credit cards that are directly tied to consumer checking accounts. Fraudulent charges made on these cards are immediately deducted from the consumer's bank balance, and the consumer may have to wait for a fraud investigation to complete before they can recover their money.
Second, it hurts the company bottom line. Ryan Wilk, director of customer success with NuData Security, reminded me in an email message that the cost of a data breach rose to $3.5M in 2013, growing 15 percent just last year, according to a Ponemon report. And, Wilk added, it isn’t just the initial financial hit that you have to worry about:
The potential fraud resulting from this breach has the capability to be just as damaging as the original breach- fraudulent credit card purchases could run rampant across countless websites.
Wilk believes that businesses and security professionals need to step up their game not just in their general security efforts but also with a better behavioral analysis:
With a comprehensive, passive behavior profiling system, suspicious activity, such as a fraudulent purchase with a stolen credit card, can be immediately identified and blocked, preventing further damages to victims and future damages to an organization. Behavioral analysis can be used to understand how a user truly acts and when action needs to be taken to prevent fraud. Behavioral analysis has the potential to significantly reduce the damages victims of any breach suffer, adding an additional layer of protection when they need it most.
Will this be the wake-up call that businesses need to improve point of sale (POS) security? Tsion Gonen, chief strategy officer with SafeNet, made this observation in an email to me:
Until very recently, companies did not see the financial impacts of data breaches being that significant. However, following the Target breach, this has changed drastically. But unfortunately, what has not changed is how companies secure customer data. This potential breach and the many data breaches we have seen recently are a symptom of an outdated approach to data security. Companies need to have a Plan B that enables them to secure the breach after intruders penetrate the perimeter defenses.
Gonen recommended taking steps such as attaching security directly to the data itself and using data encryption as the last line of defense. That, he said, would make the data useless to thieves.
I think we are all beginning to feel a little data-breach fatigue. (As someone said to me in an email, “It feels like I’m talking to you about a new breach every day.”) The only way to ease that is to improve on security best practices. And, unfortunately, too many companies still haven’t figured that out.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba