It wasn’t that long ago consumers were apprehensive about the risks of buying online. With the recent rash of retailers falling victim to point-of-sale malware, the tables may have turned. Last week Home Depot confirmed a potentially massive data breach and officially joined the ranks of Target, Neiman Marcus, P.F. Chang’s, Goodwill and other retailers that have been hit.
Signs indicate the hackers responsible for the attack belong to the same group that hit Target last year. Even the malware they used is a variant of the virus used against Target.
The Home Depot hack could go back as far as April, when security experts and financial institutions first linked stolen credit card data to compromised accounts of users who had made purchases from the chain.
This breach has the potential to touch even more consumers than the attack on Target. The Target breach affected 40 million cards. The number of cards affected by the Home Depot breach is unknown, but the home improvement giant is larger than Target and has more locations. Home Depot operates 2,266 stores and their systems could have been compromised for up to four months during the busiest season for the home improvement market. In comparison, Target has 1,795 stores and their breach lasted just 21 days
Home Depot is facing additional criticism because it appears they either ignored or were oblivious to the problem. The story was broken not by the company itself, but by security blogger Brian Krebs. Home Depot is already facing lawsuits from customers and financial institutions. The government has also gotten in on the action, with two Senators asking the Federal Trade Commission to probe the retailer’s systems and five states starting their own investigations.
The major challenge facing retailers is existing payment card technology itself. Credit cards have not changed much since they were introduced in the 1960s. They still use a magnetic strip that stores data in unencrypted format. There are more secure technologies available, but the retail and payment card industry have been dragging their feet due to costs. The newer cards contain an imbedded microchip so they’re more expensive to manufacture, and retailers must make expensive upgrades to their hardware.
Another issue for large is the sheer size of their networks. There are many vulnerability points, from unsuspecting employees who fall for a phishing attempt to logins used by vendors and suppliers. Once a hacker finds their way in, they can use lax permissions to move through the network, infecting vulnerable machines and gaining access to other stores. The Target breach was traced back to a single location.
While the exact details in the Home Depot breach are not yet clear, it’s unlikely the company will be the last victim. Hackers are undoubtedly working on the next generation of point-of-sale malware.
Learn more about the biggest retail hacking scandals in cyber security expert, Scott Schober’s Retail Sector Security Report. Download the PDF HERE.