Print Issue: January 2015
When American-based retailer Home Depot announced that it was the victim of a large-scale cyberattack in September 2014, banks and consumers were still feeling the pain of the Target breach, which compromised the payment card data of roughly 40 million Americans in late 2013. But the Home Depot breach was even larger, with more than 56 million customers affected. The investigation later revealed that 53 million e-mail addresses were also exposed.
The cost of the attack to the chain itself is not as large as the Target incident. Home Depot has released estimates that the breach will cost the retail store around $62 million, with about $27 million of that being reimbursed by insurance coverage—nearly 44 percent. Target reported losses of $148 million after its breach in late 2013. Of those losses, which included insurance liability, investigation costs, and legal fees, insurance covered $38 million, or roughly 26 percent.
News of the Home Depot breach was first announced by investigative reporter Brian Krebs of KrebsOnSecurity on September 6, 2014. Several banks told Krebs that batches of payment cards were suddenly going on sale on an underground cybercrime website. Home Depot formally announced the breach two days later on September 8. Ten days after that, the chain stated that the malware had been eliminated from its system, but that the attack had actually started in April. The home improvement chain, which has big-box retail stores in the United States, Canada, and Mexico, as well as an online store, said that only the U.S. and Canadian locations had been affected.
Experts say similar malware was used in the Home Depot breach as in the Target attack, and Home Depot released an announcement in early November saying that the criminals had "used a third-party vendor's username and password" to enter its network, then elevated its credentials to move to higher levels of privilege. Federal agencies, including the U.S. Secret Service and the FBI, are aiding in the investigation. What's clear so far is that some type of RAM (random access memory) scraping malware was installed on the point-of-sale (POS) terminals where customers swipe their payment cards.
Payment card industry (PCI) compliance requires that any business with a POS terminal encrypt the data when the card is swiped. However, data in the card's magnetic stripe is briefly sent in plain text as it enters the terminal's memory. The POS malware collects that information as cards are introduced to the POS, then dumps the data into a remote server.
Rahul Kashyap, chief security architect and head of security research at Bromium, calls PCI compliance the "bare minimum" when it comes to guarding networks against these hacks. "It's a checkbox item. I don't think being PCI compliant is really going to be enough, because the thing about attackers is that once they target you, and once they know what systems you have in house, they'll find ways to bypass that," he notes.
The low and slow attack that quietly exfiltrates payment card data with POS malware is exactly the kind that hackers hope to execute for two reasons: it maximizes the amount of money they'll gain from the exploit and minimizes the cost of executing the breach, according to Kashyap. "Attackers are beginning to focus on areas where there is money or something to be stolen, [using] attacks which are not very sophisticated," he notes.
And these damaging attacks are also difficult to guard against. "If you've got enough time and resources and you do your research, [hackers will] find out what the target security software is, what other software they are running," notes John Shier, senior security adviser at Sophos. "If you're able to do that, you're capable of creating exploits or malware that the particular piece of software will not be able to detect."
EMV (Europay, MasterCard, and Visa) chip-and-PIN technology helps minimize POS attacks because information is stored in a microchip protected by added security features, rather than in a magnetic stripe. Customers must enter a unique four-digit PIN each time they complete an in-person transaction. Chip-and-PIN is already prevalent in POS terminals throughout Europe and Canada, but U.S. retailers have been slow to roll it out. Home Depot said by the end of 2014 it will have installed chip-and-PIN capability at all its U.S. stores, ahead of the October 2015 industry deadline.
To avoid having POS terminals compromised, Kashyap recommends that companies completely isolate their payment networks from any exterior Internet connections. In addition, keeping up to date on regular system patches is basic—but crucial—network hygiene, says Eric Ouellet, vice president of strategy at Bay Dynamics.
Ouellet adds that companies are more likely than ever to fall victim to breach fatigue. "People are hearing about the 'breach of the day'…there's a concern that people might become very complacent about all of these attacks." This makes it more important than ever to stay on top of the best practices and keep a close eye on your system, he notes.
"You can deploy all the security controls you want, but if they're not deployed properly and not operating as expected, then you might as well have nothing at all," adds Shier. He says that there's a level of acceptable risk companies do have to take, noting that if a company budgets $1 billion for a breach that only costs $100 million, "that's a magnitude of difference," and may not be worth the cost.
While organizations have to evaluate the cost of security controls versus potential risk, Kashyap notes that damage to a company's brand is beyond a dollar value.
"Most people have been trying to avoid the extra expenses; however, now I think people realize that you lose a lot more in the cleanup process and damage your brand," he says.