Sophos Cloud Optix
In addition to the 56 million credit cards exposed in the recent breach at Home Depot, investigators have now revealed that more than 53 million email addresses were stolen too.
The company, which confirmed the breach of its payment data systems in September, said that a joint investigation by its own staff, law enforcement and third-party IT experts had discovered that separate files containing emails had been stolen but that no passwords, personal information or additional payment card information had been compromised.
A statement released by the company detailed how the breach was accomplished.
Much like Target where 40 million payment cards and 70 million other personal records were compromised, the attack was initiated via a third party whose login credentials had been compromised.
That level of access was insufficient to access Home Depot’s payment systems directly but it did allow the hackers to gain a foothold within the network from where they were able to acquire elevated rights and deploy custom malware on its self-checkout systems in the US and Canada.
Home Depot said it has now blocked the hackers’ point of entry and removed all traces of their malware from its systems.
It has also implemented new security measures including “enhanced encryption” of payment data within all of its US outlets, though some Canadian stores will have to wait until early 2015 to receive the same level of additional protection.
Home Depot also revealed that chip-and-PIN technology is being rolled out to all of its stores.
Canadian customers are already accustomed to the additional protection afforded by chip-and-PIN as it has been in use since 2011 but stores in the US are still being upgraded to the new system which the company says will be fully in place before “the payment industry’s deadline.”
Despite the breach, Home Depot said that it still expects to achieve 4.8% sales growth and diluted earnings per share of $4.54, an increase of over 20% year on year. Those figures, it said, took account of the estimated $62 million in costs associated with the breach, including the provision of free credit monitoring and identity theft protection services to its customers, as well as the likely costs of the investigation and additional call centre staffing expenses.
Though Home Depot appears to have weathered the storm better than some may have expected, it has warned its customers in the US and Canada to be on the lookout for phishing scams following the theft of email addresses.
You should always think before you click on links or open attachments in unsolicited emails. Here are some tips to avoid getting caught out.
Be wary of any emails that appear to have come from Home Depot, or anywhere else for that matter, as the consequences of not doing so can be severe in terms of stolen personal information, damaged finances or even identity theft.
I wonder if they have considered the opportunity cost of losing a few customers due to this. Perhaps they wouldn’t be so happy if they realized how much potential future revenue they have lost!
What makes you think anyone is happy about this? I’m guessing they are well aware of the damage to customer confidence.
Companies are GOING to get breached. There’s just no way around it. There’s always a window of opportunity.
What I look for in a company is how they react to that breach. If they react intelligently, quickly, and vigorously, I don’t count it against them.
Another thing this hack showed (like the Target one) is that vendors can be a point of entry. There should always be strong protections around vendor communications. I work for a company that is a vendor to other companies, so we’re in the same boat as those vendors were to Target and Home Depot.
I’m glad to say that many of our clients are proactively banging on the security drum, and they seem to be doing it well (not just lip service). So, I think the business world is learning.
For a long time, the cost of mitigating against the risk was deemed too high. Executives are learning that the risks are higher than they thought, and the losses due to risky situations is higher, too. Yes, there is a cost to prevent damage from the risks. But, they have no choice any more.
Target made a brilliant move that all companies (including Home Depot) need to make: Require the new Chief Security Officer (CSO, but they’re calling it compliance officer) report to the Chief Executive Officer (CEO), not through the Chief Financial Officer (CFO). The CFO’s job is to cut costs, not to cut risks. The CSO’s job is to cut risks while doing the best s/he can with costs. Only the CEO can see the objectives of both jobs effectively. Good move Target. Home Depot, you might want to do the same.