Data breaches are on the rise. With data flowing freely through networks, in the cloud and between our mobile devices, it is not a surprise that threats to our personal data continue to increase. No organization, large or small, is immune to security risks. Therefore, it is critical that every business takes the necessary precautions to ensure their data is protected from the numerous potential vulnerabilities that surround us every day.
A recent example is the September breach of Home Depot’s payment systems. On September 2, Home Depot was notified by both its banking partners and law enforcement that some unusual activity was occurring and it was likely its payment systems had been breached. They posted a message immediately on their website notifying their customers of the potential breach and then confirmed the breach of its payment data systems six days later.
The breach occurred between April and September 2014 to customers who used the self-checkout machines at Home Depot U.S. and Canadian stores – more than 2,000 locations.
Criminals had inserted what Home Depot is calling “unique, custom-built malware” into the payment systems and skimmed the payment card data from potentially 56 million unique payment cards. This is 16 million more than the well-known Target data breach that occurred in December 2013.
Information on the cards, such as name, credit card number and cardholder verification value was stolen to be sold in the underground community where the data is used to create counterfeit cards and make fraudulent purchases.
Eliminating the Source and Protecting for the Future
First things first, Home Depot identified and eliminated the malware from their U.S. and Canadian networks and removed from service all of the self-checkout payment terminals where the malware was found.
Before the September 2, 2014 discovery of malware, Home Depot had a major payment security project underway to provide enhanced encryption of payment data at the point of sale in the company’s U.S. stores. New security software will encrypt the raw payment data from credit cards, rendering it unreadable to potential hackers. At the completion of the project on September 13, nearly 85,000 new pin pads were deployed in the do-it-yourself retailer’s U.S. stores. The retailer is adding enhanced encryption to its Canadian stores by early 2015, since these 180 stores already use EMV “Chip and PIN” technology.
The Direct and Indirect Costs of a Breach
Security failures like the ones at Home Depot and Target can be extremely costly. Home Depot is estimating that this breach will cost them approximately $62 billion for items such as credit monitoring services and call center staffing.
The Ponemon Institute and IBM published thethat actually calculates the cost per lost record. In 2014 that cost is $145 compared to $136 in 2013. The study also states that the average cost to a company was $3.5 million, 15 percent higher than the 2013 report. The cost is not just the lost sales or remediation costs, but also indirect and opportunity costs associated with the breach.
These more indirect costs can be significant as security failures can be detrimental to a company’s reputation, as well as their bottom line. This is why Home Depot is now offering customers free identity protection services, including credit monitoring, to any customer who used a payment card at one of their U.S. or Canadian locations between April and September 2014. Customers will also not be held liable for fraudulent charges.
Protection is Paramount
According to a New York Times article “The Department of Homeland Security and the Secret Service recently estimated that more than 1,000 businesses in the United States had been infected with malware that is programmed to siphon payment card details from cash registers in stores. They believed that many of these businesses did not even know they were sharing customers’ credit card information.”
Furthermore, studies show that businesses aren’t taking the necessary precautions despite the increasing number of breaches being reported. The “2014 Cost of a Data Breach” study reported that only 38 percent of companies have developed a security strategy to protect their IT infrastructure. This percentage needs to increase.
You don’t have to be a large retailer or a financial institute to be impacted by a security breach. In fact, small and medium sized businesses with little financial cushion may feel more of an impact. One recent statistic reported that 72 percent of businesses that suffer major data loss will shut down within 24 months.
Considering just the two security failures discussed here, more than 96 million credit cards were breached. That is almost the entire population of Northern Europe.
As the threat of data breaches continues to grow, it is paramount that businesses have a plan in place to protect their mission-critical data, as well as the personally-identifiable data of their customers.