One, big corporates that don't take the appropriate steps because of incompetence, corporate inertia and a lack of consequences. People who say something are not taken seriously and the good ones leave.
The other, has to do with startups, who are dealing with sensitive information, who do not take the appropriate steps to secure it because they would rather win the VC lottery. Putting customers data at risk is ok if they can get their payday.
I have personally observed two startups that have done this.
One was a startup working in the identity management and protection space logging sensitive information in plain text on their servers and bringing them down to unsecured local dev boxes for debugging. When I asked them about it they said they knew what they were doing was wrong but didn't feel like it was a big deal. From their point of view they didn't think they were a target. Of course they also didn't feel that it was worth the cost.
The other was a banking startup that was storing Social Security Numbers and account details that would allow direct access to bank accounts on Heroku PostgreSql databases. Once again when I brought it to their attention, making the product look good for the next round of funding was more important than a customer having their bank account cleared out or having their identity stolen. Incidentally many of the developers for this banking application had come from a large established Accounting company and didn't seen anything wrong with what they were doing.
What this really comes down to are ethics. Is it ethical to cut a corner and save money on development if it means that a data breach of our system could lead to possibly significant financial consequences to our customers?
I personally try to adhere to the ACM code of ethics http://www.acm.org/about/code-of-ethics
. But unlike the field of medicine where even the worst doctor has been vetted by a committee of professionals we have no bodies that evaluate the character of people in our field nor a oath like the Hippocratic oath that is an automatic piece of the training.
If more engineers were willing to say no and even quit over poor security practices I'll bet you security would be taken more seriously.
Things like this just means we should really bring out something that doesn't expose the magic 16 digits of "charge me anything" to the world. Tokenization schemes like Apple Pay go a long way to securing the general public in an easy to use way.
I've already received notice from Discover that they are sending me a new card. They didn't mention Home Depot but did say that my current card had the potential to be used fraudulently.
If the card companies can issue new cards quickly enough they can contain the damage. 50 million is a lot though.
Things like this will continue to happen as long as the government insists on slapping companies on the wrist with small fines, which most of the time is a tiny portion of their annual profits.
My solution: hold the executive management directly liable for all security breaches that compromise customer data. Send a few of them to jail and you will suddenly see other companies treat information security with the seriousness it deserves.
(Most corporate CEOs make millions of dollars a year on top of an untold number of perks. It's time for them to start earning it.)
In this particular case, what is the justification for the Government fining them? Did the customers lose something that they were not adequately compensated for by existing system? Exactly who would we be protecting?
To me, this sounds like a matter to be handled between the banks, card processors, and Home Depot.
What I don't understand about these massive breaches is that once a pattern has been established all the cards get flagged... right? Which greatly increases the likelihood of subsequent transactions being flagged on the spot, which makes the risk of being caught much greater. Wouldn't the hackers and their clients be better served by much smaller batches of credit cards that aren't clearly from the same breach?
You're right, but they do it in a sneaky way to try and avoid that.
The Russian/Ukrainian rings that hit Target and Home Depot (and various other companies) gathered the cards in secret over many months, while not actually using or selling any of them. Then once they feel like they've gathered enough cards to compensate them for their time, or if they feel like they'll lose access or get caught in the near future, they dump them in bulk batches. Generally these breaches, and the company that was breached, get discovered after the very first dump batch. The banks who issue the credit cards can often figure out what store was breached if they're given a random sample of 1000 or so credit cards; they just correlate the cardholder locations with the stores in the area, and see what store has the most overlap. Often bank security personnel are some of the first to buy the credit card dumps. In fact, this is how Home Depot and Target both found out they were even breached at all: the banks ran their analytics on the dumps and informed them.
After the first batch is released, the subsequent batches are usually less likely to work, but sometimes the banks will just issue notices saying "you recently shopped at Home Depot, please check your account statement" instead of blanket disabling all the cards. In those cases, staggering the dumps in batches increases the overall fraud gain.
Probably the most strategic way to use 50mm credit cards would be to use them destructively, rather than just for direct gain. (All of this is illegal as well as immoral, but just presented so people can develop countermeasures)
Know that using the credit cards will cause the accounts to get frozen, which will cause decreased purchasing; it will also scare people away from those stores, and possibly from purchasing in general.
A nation state could do this for disruption directly; Russia could filter the 50mm cards to find cards belonging to US people (or just assume home depot = usa), and intentionally cause transactions requiring replacement. Do this on the last week before xmas, or black friday, or some other strategic time.
A criminal organization could use the breach to manipulate the stock market -- either directly (shares in the breached company tank, although this doesn't happen to a very large extent), or by blocking cards used at one merchant in particular, raise the sales of a competitor indirectly.
There's also straight extortion -- we'll sell these back to you and go away IFF you pay us.
Interesting tactic, and I could definitely see it being employed by an intelligence agency, but it's unlikely the fraudsters would be able to see any significant monetary gain from it. As you alluded, Home Depot's stock didn't decrease that much, and it bounced back shortly afterwards.
Some of the fraudsters and criminals are politically motivated to an extent, especially with the recent US sanctions against Russia (the codename for the Home Depot card dump is "American Sanctions"), which you can read more about here: http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-ma... The POS malware even has some not so subtle anti-American images embedded within it.
But that said, they care about the money above all else. The rest is just a little added motivation.
For the hackers who broke in and gathered the numbers, large batches of fresh numbers make them the most money. They sell the dumps and the more numbers/the more recent, the more they make. So hitting a big target, gathering a huge collection, and then dumping it all at once is the most profitable. The people who buy the dumps have to worry about cards getting flagged, but not the people selling them, and the hackers dumping the cards don't really care what the people who buy the dumps have to deal with, they just care about getting the most cash they can.
Also since any release at all is highly likely to trigger an investigation, a small dump could be the last, so a big dump is the lowest risk.
It does sound like a Home Depot's management may have failed to practice due care in protecting their customers credit card data. That will be perceived as a failure of corporate governance and expose the company to charges of negligence. I'm surprised they let it go on this long. It seems like there will be a material effect on the companies operations now...
One thing I haven't seen the popular media take Home Depot to task on is: Why didn't they review their security after the Target breach?
The Target thing was announced in December last year. Home Depot had between then and April-May to do a full review and see if they too were vulnerable. Not only did they fail to do that, but they failed to find this issue for 5 additional months(!).
I liken it to being a miner, watching the canary die, and then continue to work. Then you're shocked shocked that there was poisonous gas in the mine when you "found out" hours later.
I just looked up "Gross negligence" (per corporate law) and this seems to wholly fit. This is almost textbook Gross negligence but yet not a single prosecutor in the US has gone after Home Depot, why is that?
In fact it seems like Home Depot will walk away from this almost cost-free, no fines, no prosecution, no significant costs (the "free monitoring" is stupidly inexpensive, plus nobody actually utilises it), and only minor negative PR.
Maybe states should just fine companies 10c for every Credit or Debit Card number lost. That's a 5.6 mil fine for Home Depot, maybe then they'd take it more seriously.
> One thing I haven't seen the popular media take Home Depot to task on is: Why didn't they review their security after the Target breach?
?
It's right there in the article:
"After the Target theft, Home Depot’s chief executive, Frank Blake, assembled a team to determine how to protect the company’s network from a similar attack, said one person briefed on the project. In January, Home Depot brought experts in from Voltage Security, a data security company in California, these people said. By April, the company started introducing in some of its stores enhanced encryption that scrambled payment information the moment a card was swiped.
"But criminals were already deep in Home Depot’s systems. By the time the company learned on Sept. 2 from banks and law enforcement that it had been breached, hackers had been stealing millions of customers’ card information, unnoticed for months. The rollout of the company’s new encryption was not completed until last week."
re: "One thing I haven't seen the popular media take Home Depot to task on is: Why didn't they review their security after the Target breach?"
From the article:
"After the Target theft, Home Depot’s chief executive, Frank Blake, assembled a team to determine how to protect the company’s network from a similar attack, said one person briefed on the project. In January, Home Depot brought experts in from Voltage Security, a data security company in California, these people said. By April, the company started introducing in some of its stores enhanced encryption that scrambled payment information the moment a card was swiped."
10¢? $20 would be more like it paid to the government who would then, on request provide $15 as compensation to pay for the postage and time arranging your new payment card. Even then it's just a token of the costs that they've caused to be incurred.
So, $1 billion fine, do you think they'd do it again? Executives from other companies holding that many card details might actually think it was worth paying a few $100k to get their own systems in order then.
IMO if a company can still afford to pay profits to shareholders after making these sorts of errors then you're not hurting them enough.
I down voted your comment because I think commenting without reading the article takes away from the community. Had you spent even a small fraction of the time you spent writing actually reading the article, you would have seen what the other commenters are citing.
"They say many companies do not even know they have been breached."
This is the scariest fact of the whole article. We hear about Sony, Target, Home Depot, etc. on the news, but how many others are out there that we don't know about? Dozens? Hundreds?
Bitcoin and cryptocurrencies should really be capitalizing on the nightmare PR of all these credit card thefts at major retailers. This is way worse than the transaction fee argument.
And how would they go about capitalizing on the bad PR, considering that Bitcoin security is far, far worse than even the sloppiest credit card system? Virtually every business dealing in Bitcoin has been hacked, and this basically always results in the full balance of their bitcoins being stolen and the attacker getting away with it clean.
The credit card system has its issues, but even these massive thefts of numbers generally lead to no financial losses for customers and modest losses for banks and retailers, and the attackers often do get tracked and caught. The biggest complaint on here is that the losses are not high enough to convince these companies to pay serious attention to security.
0. Did Govt BUY or contract with the COMPANY? yes or no
1. Can employees SUE FOR BIG MONIES under qui tam law?
2. IS IT EASY TO FIND A LAWYER and GOVT agency and 'partners'
who DO MOST OF THE WORK (other whisleblowers are RICH) in
helping the GOVT to sue the COMPANY? yes or no
3. got an entire group? ex-employees? do not plan on working for
COMPANY AGAIN?
4. Employee in I.T., computers, security, etc DONT GET NO RESPECT?
5. Employees could be WHISTLEBLOWERS and when the GOVT
and you and partners WIN, then the 99% ninety nine percent win?
Yes, I a worker. Yes, I paid taxes. Yes, COMPANY got all sorts of
tax loopholes, Management got golf club memberships and perks
and benefits.
Yes, see books by David Cay Johnston about tax loopholes and
'structures.'
Seriously. Defending cyber infrastructure is hard. Incredibly hard. If you only play defense you lose. Always. 100% of the time. Nuclear facilities and critical infrastructure get hacked when they aren't even connected to the broader internet. Our software stacks are built insecure from the ground up.
And what's the threat model you want to Home Depot to protect you against? Hackers coming in directly from the internet? Hackers coming in from a contractor (like Target)? Hackers breaching their corporate datacenters? Attackers that gain access to the production line? Attackers that return goods after they've been infected? Attackers that phish for access to employees or with PDF malware as job applications? Leaving infected CDs, harddrives, and USB sticks near the company HQ of the business they buy their point of sales device from? Creating rouge access points or using femto cells to gain access to company devices? Hacking into home devices of employees? Attackers planting backdoors into the hardware at the manufacturing level? Attackers guessing weak passwords that employees configured? From these attacks applied to vendors and partners? From attackers that compromise tools used by employees hosted on C|NET and others (like sysinternals)? There's a million ways in. Point of sales devices are just one way adversaries could collect this data.
Security researchers have been crying that the internet has no clothes for decades. The internet is a wild west without vigilantes. It's been designed weak from the start. Adversarial-tolerant design costs far, far more than fault-tolerant design does.
Wall Street was hacked. The Department of Defense is routinely hacked. The _NSA_ has been hacked.
This isn't Home Depot's fault. Everyone gets hacked. Everyone.
Please don't bring social justice theory into a factual discussion of a company's missteps and negligence that resulted in a serious breach of its systems.
I'm not sure I fully agree with the earlier poster, but it's an interesting and useful perspective and I can't see a clear reason for it to be downvoted. Certainly not just because it "bring[s] social justice theory into a factual discussion", yeesh.
I certainly do not intend to dismiss security faults (I'm a security researcher by trade). I do, however, want to point out that such lists are invariably not exhaustive and the analysis is woefully incomplete.
Ask any security professional and they will tell you that security is a trade-off. No computer or network is 100% secure. The objective is to match the amount of security to the amount of potential loss. The estimates here are incredibly difficult to make. No person or company or philosophy has solved this problem yet.
One can claim that Home Depot made the wrong security trade-offs. But I don't see any analysis being done in these threads or articles. I see people criticizing faults and suggesting areas that they may have invested in. Ways to increase security. But I don't see any calculations on the actuarial side or figures for how much it would cost Home Depot to make those investments. I don't think a Hacker News thread is capable of making that sort of assessment, myself included.
What I can say (and did say) is that Home Depot is a victim of a theft. You are too, if your data was in the cache. Couldn't someone criticize you for keeping your data with Home Depot? That's not secure. Not just from hackers, but also from being sold to creditors and financial listing agencies. You'd be right to call me out for criticizing you for something you really can't help.
Home Depot can't help but to be on a woefully broken cyber-infrastructure. It has to in order to participate in the modern economy. It's only option is to be more secure than other large retailers with the hope it will be a less attractive target ("I don't have to outrun the bear, I have to outrun you.") If someone wants in, they will get in.
They were forced to take a raw deal, and they were owned. It's going to keep happening. And making post-hoc suggestions about minor configurations isn't going to help.
I argue it is. There's no way Home Depot could have prevented this. If they took every step suggested by every article and every comment in this 'factual discussion' they would have been owned another way. And it would have received a tirade of similar articles and similar comments about what it should have done to protect its data another way.
Hindsight and backwards engineering security suggestions is easy. But it isn't productive to the overall posture of cyber security. I guess it depends on what scope of the discussion you find interesting. The root or the symptom.
I completely agree with you. It's quite amusing to see this time and time again; 'security' folks then say "oh, it's Target/Home Depot/Heartland Payment/Apple/Adobe/Yahoo's fault"
There's an easily identifiable pattern here. Security is not economically feasible. Cyber security breaches are like industrial accidents or freak acts of nature, and they should be treated that way. Insurance, OSHA, inspectors, training. This problem is not going to go away.
Specifically for credit cards, banks could do a lot to solve the problem by removing the plaintext identity value that is a credit card number. As an engineering discipline, we can do a great deal to remove the high-value targets from flowing through many hands.
Isn't it that others bear the cost of company's security lapses - except for good will - and so they don't really care beyond the legislated need to care? Are these companies making a loss?
It certainly sounds like Home Depot just thought that it wouldn't happen to them and so they could cheap it out - not pay for intrusion detection, not pay to have systems scanned for known vulnerabilities (I'm reading between the lines of the OP article a bit here), not paying for security updates like current anti-virus.
Companies lose huge amounts of money, much of it from PR with customers, when they are hacked. The recent EBay hack for example lost the company huge amounts of money (remember seeing but haven't had luck finding the numbers online).
But you're only thinking about customer retailers.
Many companies need to keep their intellectual property, source code, designs and trade secrets safe from hackers and competitors. Intel is a great example of a company that dominates an industry purely due to IP. Chinese companies (and government) sponsored hackers would love to utilize 12 nm transistor technology to outcompete Intel. I can't help but to wonder what Intel microcode update keys would sell for.
Brazilian PETROBRAS lost billions of dollars when they got hacked by the NSA and as a result lost offshore oil drill location auctions.
There's also 'outsider trading'. Intimate knowledge of what financial decisions companies and states are going to make is big money (http://tinyurl.com/l834xou).
Finally, there's stealing money directly from corporate accounts (Axis Bank). A recent example are the thefts of large numbers of bitcoins from bitcoin trading companies. Often hackers abuse automated clearing house systems to transfer data between accounts and siphon small quantities across large swaths of time/transactions (http://www.bankinfosecurity.com/ach-fraud-payroll-hack-drain...).
Then there's political hacking. The Chinese government stole Israel's Iron Dome defense system specifications. What does that 'cost'? It's hard to calculate. There are countless examples where state actors steal designs from defense contracting companies.
I think that Home Depot could have done more to prevent this. From the NYT article, it sounds like Home Depot managers failed to act on the advice of their own cybersecurity team.
This is no different than when Kenneth Lay failed to act on the warnings from Sherron Watkins about improper accounting practices at Enron prior to its collapse.
I'm not as confident that doing more would have prevented this. Not at the larger scope.
Perhaps additional investments would have made Home Depot a less attractive target and Walmart would have been attacked instead. Or Sears. Or Best Buy. Or Lowe's. Or Petco. But then we'd be having this exact conversation about those companies.
Let's follow the money.
If Home Depot does not make security investments you lose money. Because they get hacked. The hackers make money.
If Home Depot does make security investments you lose money. Because they are not going to shrink their margins. The customer is going to take the cost of business in this case. Hackers are going to target someone else (maybe), were the customer will again lose money. The hackers make money.
Hacking costs you money. It either costs you as a business expense or as an upfront investment in infrastructure/technology.
Yes Home Depot cost you money. But it costs you money the same way that banks cost you money when they get robbed. Is it the banks fault? The arguments in this thread say "Yes. Because the bank left the vault open."
I'd agree, except I don't see a way for any bank to close any of its vaults. The current state of cybersecurity is that bad.
I think that home depot knew, or should have known the value of protecting their customers data. They should have also had some idea or their exposure to the threats that are out there.
I think it's pretty basic. Any IT system has a collection of zero-day vulnerabilities. If the company is smart, they will track what these vulnerabilities are and mitigate the vulnerabilities that can be fixed. The vulnerabilities that don't get resolved will eventually meet up with a zero-day exploit. Then there will be a loss.
It would appear that Home Depot didn't mitigate their vulnerabilities, and now they will have to pay.
Therein lies the problem. Waiting for exploits to be developed, before releasing fixes is reactive. More proactive code auditing could reduce the number of zero-day vulnerabilities.
One, big corporates that don't take the appropriate steps because of incompetence, corporate inertia and a lack of consequences. People who say something are not taken seriously and the good ones leave.
The other, has to do with startups, who are dealing with sensitive information, who do not take the appropriate steps to secure it because they would rather win the VC lottery. Putting customers data at risk is ok if they can get their payday.
I have personally observed two startups that have done this.
One was a startup working in the identity management and protection space logging sensitive information in plain text on their servers and bringing them down to unsecured local dev boxes for debugging. When I asked them about it they said they knew what they were doing was wrong but didn't feel like it was a big deal. From their point of view they didn't think they were a target. Of course they also didn't feel that it was worth the cost.
The other was a banking startup that was storing Social Security Numbers and account details that would allow direct access to bank accounts on Heroku PostgreSql databases. Once again when I brought it to their attention, making the product look good for the next round of funding was more important than a customer having their bank account cleared out or having their identity stolen. Incidentally many of the developers for this banking application had come from a large established Accounting company and didn't seen anything wrong with what they were doing.
What this really comes down to are ethics. Is it ethical to cut a corner and save money on development if it means that a data breach of our system could lead to possibly significant financial consequences to our customers?
I personally try to adhere to the ACM code of ethics http://www.acm.org/about/code-of-ethics . But unlike the field of medicine where even the worst doctor has been vetted by a committee of professionals we have no bodies that evaluate the character of people in our field nor a oath like the Hippocratic oath that is an automatic piece of the training.
If more engineers were willing to say no and even quit over poor security practices I'll bet you security would be taken more seriously.