The Home Depot Breach Boils Our Blood – and It Should

Companies / Corporate News Sep 26, 2014 - 12:13 PM GMT

Shah Gilani writes: Who should worry about data breaches?

Everyone.

You as an individual are at risk. Your bank account is at risk. Your credit is at risk. You’re at risk in ways you never thought about.

Merchants are at risk, maybe to the tune of tens of billions of dollars.

Banks are at risk. In fact, the whole financial system could be at risk.

And we hate to think about it, but the entire country is at risk.

And then there’s the security implications of breaches of critical U.S. infrastructure imply. And the global geopolitical implications of cyberwar.

That’s scary.

We know that’s all out there, but today I’m going to put a single data breach under a microscope.

So, put on your lab coats and let’s get started…

The E-Castle Walls Are Coming Down

Today, I’m focusing on basic credit and debit transactions.

They’re not basic anymore.

The electronic world we’ve constructed isn’t impenetrable. In fact, it’s pretty porous.

Almost every day businesses are attacked by hackers, by malware, by criminals intent on stealing proprietary information, trade secrets and customer information. They’re going after our payment card numbers, passwords, addresses – anything they need in order to steal or make money.

Corporate and government data breaches are so common now that there’s a website dedicated to what’s happening: www.DataBreachToday.com.

The data breaches that have garnered the most media attention recently are the Target Corp. (NYSE: TGT) and the Home Depot Inc. (NYSE: HD) thefts.

The more recent Home Depot breach dwarfs the one last year at Target. So let’s zero in on what happened at the hardware giant and what’s going to happen in the future.

Home Depot’s more than 2,000 North American stores were all affected. Some 56 million Home Depot customers’ payment cards were exposed – about 40 million Target customers’ cards were breached.

Needless to say, the lawsuits are starting to fly.

One lawsuit, which is seeking class-action status, was filed on behalf of Home Depot customers even before the retailer admitted its systems had been breached. That suit anticipated the eventual admission and points to the fact that Home Depot knew about the breaches and didn’t come clean, which would have helped customers who were subsequently affected protect themselves in some way.

Now banks are getting on the sue-Home Depot bandwagon. Two credit unions are suing and seeking class-action status, claiming unspecified losses related to refunding fraudulent charges, reissuing cards, opening and closing accounts, stopping or blocking payments, notifying customers, increasing fraud monitoring and lost revenues from a drop-off in accounts.

Whether banks can sue merchants for losses related to data breaches is about to be ruled on by a judge in a Target lawsuit. In that suit, Target is trying to derail a consolidated class action by a group of banks claiming the retailer is responsible for their losses. One estimate of Target’s liability to the banks suing it is a cool $18 billion.

If the banks prevail, merchants’ liability in the future will be staggering.

Between banks and customers suing, merchants are going to face charges of breach of confidence, privacy, fiduciary duty, negligent misrepresentation and outright negligence. In short, the plaintiffs are accusing the merchants of failing to meet their legal obligation to protect customers and customers’ banks.

Sometimes, as may be the case with Home Depot, there may be obvious (at least in my mind) culpability. And it may be clear that obligations were not met where they could be reasonably expected.

Apparently, Home Depot knew about the breaches at least five months before going public about it. An outside data security firm warned the retailer about “using out-of-date malware detection” systems. And a former Home Depot information securities manager has said he warned the company about its out-of-date antivirus software on its point-of-sales systems.

It was the point-of-sales systems that were compromised at both Target and Home Depot.

In fact, the U.S. Department of Homeland Security, based on U.S. Secret Service findings, warned Home Depot about Mozart (the name of the malware that infected the retailer’s systems) infiltrating its checkouts.

Data security experts think Mozart to be a customized malware designed to attack Home Depot’s point-of-sale systems. In other words, whoever designed Mozart understood, or knew how to get around, Home Depot’s safety systems. Mozart was “customized” to the retailer’s technology. And it was running for at least five months before anyone detected it.

In a nutshell, the malware used a “RAM scraper” to capture a customer’s card and related information between the time – just milliseconds – it was swiped and the time it took Home Depot’s systems to encrypt the customer’s information.

Wow!

Home Depot encrypted its customers’ information – but Mozart stole the data before encryption occurred.

What will the eventual costs to Home Depot be? What will merchants be responsible for in the future? What was the Secret Service doing looking into Home Depot’s systems? What’s out there in cyberland that we have yet to face, defend ourselves against and combat?

Who knows?

All I know is that technology is a double-edged sword.

Source : http://moneymorning.com/2014/09/25/the-best-hope-for-reducing-taxes-isnt-what-you-think/

Money Morning/The Money Map Report

©2014 Monument Street Publishing. All Rights Reserved. Protected by copyright laws of the United States and international treaties. Any reproduction, copying, or redistribution (electronic or otherwise, including on the world wide web), of content from this website, in whole or in part, is strictly prohibited without the express written permission of Monument Street Publishing. 105 West Monument Street, Baltimore MD 21201, Email: customerservice@moneymorning.com

Disclaimer: Nothing published by Money Morning should be considered personalized investment advice. Although our employees may answer your general customer service questions, they are not licensed under securities laws to address your particular investment situation. No communication by our employees to you should be deemed as personalized investent advice. We expressly forbid our writers from having a financial interest in any security recommended to our readers. All of our employees and agents must wait 24 hours after on-line publication, or after the mailing of printed-only publication prior to following an initial recommendation. Any investments recommended by Money Morning should be made only after consulting with your investment advisor and only after reviewing the prospectus or financial statements of the company.

Money Morning Archive

Only logged in users are allowed to post comments. Register/ Log in

The Market Oracle is a FREE Financial Markets Forecasting & Analysis web-site.
(c) 2005-2024 MarketOracle.co.uk (Market Oracle Ltd) - Market Oracle Ltd asserts copyright on all articles authored by our editorial team and all comments posted. Any and all information provided within the web-site, is for general information purposes only and Market Oracle Ltd do not warrant the accuracy, timeliness or suitability of any information provided on this site. nor is or shall be deemed to constitute, financial or any other advice or recommendation by us. and are also not meant to be investment advice or solicitation or recommendation to establish market positions. We do not give investment advice and our comments are an expression of opinion only and should not be construed in any manner whatsoever as recommendations to enter into a market position either stock, option, futures contract, bonds, commodity or any other financial instrument at any time. We recommend that independent professional advice is obtained before you make any investment or trading decisions. By using this site you agree to this sites Terms of Use. From time to time we promote or endorse certain products / services that we believe are worthy of your time and attention. In return for that endorsement and only in the cases where you purchase directly though us may we be compensated by the producers of those products.