Sophos Cloud Optix
Yesterday brought further proof – if any were needed – that data breaches are costly for everyone involved.
Home Depot, which revealed a huge data breach in September, said it now faces at least 44 civil lawsuits across the US and Canada after the security slip that left 56 million credit cards and 53 million email addresses exposed.
The company also warned that it expects more claims to be filed by customers and shareholders, as well as card issuers and payment card brands, according to a Securities And Exchange Commission (SEC) filing by Home Depot.
The financial impact of the breach so far stands at $43 million, the company wrote, though it expects to recoup some $15m of that cost via a network security and privacy liability insurance policy.
The resulting $28 million pre-tax net expense covers the three month period up until 2 November 2014 and takes account of the cost of investigating the breach itself, providing free identity protection and credit monitoring services to customers and the additional costs associated with an increased demand for call centre staff.
Other expenses include fees in respect of legal and other professional services required in the wake of the data breach.
Home Depot also predicted other future costs in respect of the breach, including further professional services expenses as well as additional capital costs associated with remediation.
The company said the value of potential further expenses and legal costs will likely be dependent upon whether it was deemed to be compliant with data security standards, such as Payment Card Industry Data Security Standards (PCI-DSS), at the time of the breach and whether or not any non-compliance (if detected) could be proven to have been instrumental in the criminals gaining accessing to the data.
Home Depot said its payment card network had been certified as compliant by an independent auditor in Autumn 2013, but said the 2014 assessment was ongoing at the time of the attack so admitted it may not be found to be compliant:
The forensic investigator working on behalf of the payment card networks may claim the company was not in compliance with those standards at the time of the Data Breach. As a result, we believe it is probable that the payment card networks will make claims against us and that we will dispute those claims.
Home Depot reiterated its previous announcement of additional measures to prevent another breach occurring in the future, which includes the rolling out of “enhanced encryption” in all of its US stores to make credit card data unreadable, and the complete adoption of EMV Chip-and-PIN technology by the end of the year.
Canadian stores, which are already enabled with Chip and PIN technology, will receive the new encryption system in 2015.
Investigations into the breach are still ongoing, the company said.
Image of Home Depot courtesy of
Rob Wilson / Shutterstock.com.
Windows XP is perfectly fine when used with Google Chrome and what I call “Hi” security. I also limit the sites I visit based on my own recognition that there are crazies about. Nobody, least of all MS will tell me what to do and I certainly will not entertain windows ever again, there are better operating systems out there. I will change next year when I can afford to do so. Keep the good work going, I enjoy your info emails. Peter
I didn’t see where in the article the use of Microsoft Windows XP was blamed for the breach.
In any case, believing yourself to be safe using XP, whilst connected to the internet, is naive, regardless of which browser you use. Microsoft aren’t telling you what to do. They just aren’t providing security patches anymore.
Actually, hackers don’t give two hoots which OS you use. They’re only interested that they get you to use your bank card at a store with one of their subverted machines.
Actually, they’d probably be just as happy for you to shop online using Chrome on your copy of XP, riddled with key loggers (-:
Enjoy Black Friday, Mr Anonymous!
Windows XP may be “perfectly fine” for you. But spare a thought for the rest of us, eh, who have to live in the same ecosystem.
(Your 30-year-old Toyota Corolla with 300,000km on the clock and a thirst for cheap motor oil will get you to the shops and back, perhaps for another decade or more, as long as you can avoid having to get a roadworthy certificate. Don’t expect me to be happy with the smoke you belch out, though.)
If you are definitely going to switch from Windows, it sounds as though *any* other OS would be better in your books right now. So why wait until next year?
Your main choices are Linux, one of the BSDs, or Apple’s OS X. Two of those three options are free. What are you waiting for? You can switch now and then switch again when you get the money together if you ever see a Mac in your future.
You’re implying that Macs are immune to viruses…
…
…
on a security blog…
…
…
ran by a security company…
…
…
please stop perpetuating this myth.
Errrrr….what???!??…I’m reading your comment a second time…third time….no, sorry, I have no idea what you are talking about.
You lost me at “implying.”
Gentlemen, Windows XP can no longer be used in a HIPAA/HITECH or PCI environment as XP can longer obtain updates and is no longer a supported OS by Microsoft. Both HIPAA/HITECH and PCI require the OS in use to be a supported OS and that updates can be obtained. It is also a requirement that an AV product be in place to detect and remove a virus. So if you want to get a merchant into an iOS environment there MUST be an AV product installed and a free AV does not fly.
It has been said that XP can be used in a closed environment, ie no internet access. But a closed environment doesn’t offer much if any use these days.
As far as Linux and iOS are concerned both are targets especially since Microsoft and the app folks have gotten better at addressing vulnerabilities. If you think back to the days when Apple was heavily running TV ads on how Apple products did not get viruses. Amazingly the ads suddenly stopped the false advertising campaign. They knew full well that that was not the case. Even then the Apple products were appearing on the DHS weekly report.
Besides, AV vendors would not invest resources into having AV products for Linux and iOS if they could not sell it. Notwithstanding, take a look at the DHS weekly report and you will see that no OS or app is immune from risk. It will also boil down to what environment and app present the better target from a vulnerability standpoint and will yield the best return on the bad guys investment. Don’t think the bad guys won’t go after Linux if they think they can get either a direct return (ie: card holder data, mission critical business data) or the OS will give them access into another platform that houses the pot of gold.
The bad guys *do* go after Linux. On a huge scale. Endpoint malware is mostly for Windows, because that’s what endpoints mostly have. The criminal infrastructure that distributes endpoint malware – hacked blogs with malware .EXEs for download; pwned servers hosting malicious JavaScript; otherwise-legitimate websites with a “secret” PHP control panels for running a botnet; and so on – is mostly on Linux, because that’s what’s mostly available.
I think I see how they thought you implied those were virus-free:
In your mind, you were probably thinking of “a replacement for Windows”. In their mind, “a replacement for XP”. So, there’s a subtle implication that you listed those 3 because of the security ramifications of XP, assuming they read it wrongly.
I believe your follow-up clearly implies that you meant “something other than Windows”. Could you have worded it better? Perhaps. Personally, I prefer to read all of the possible ways something could be taken, and then ask questions if one or more seem like they really could be the meaning, but wacky when read that way.
It’s sort of a reverse reduction ad absurdum: We know you guys are smart, so it really can’t mean the malware reading.
Hmmm. I think it was pretty clearly worded myself.
The OP said that he “certainly will not entertain windows ever again, there are better operating systems out there.”
To which I replied, “If you are definitely going to switch from Windows…your main choices are Linux, one of the BSDs, or Apple’s OS X.”
Someone managed to turn that into a suggestion that I was saying Macs were immune to malware, which in turn caused me to think, “Whatttttttttt?”
I had my E-mail address exposed (so far) via the Home Depot breach…now the company that they hired to keep as a watchdog offering the service for free to those of us whom HD didn’t protect in the first place is marketing me “Don’t let your subscription run out renew now for only $9.95” what an insult on top of the insult.