The possible data breach at Home Depot Inc. that came to light this week has raised anew the question of whether retailers can prevent – or at least do more to stop – hackers from swiping customer information.
The home improvement chain said it was working with law enforcement, banking partners and security firms to investigate “unusual activity” but has not confirmed whether a breach has occurred.
On Tuesday, security journalist Brian Krebs reported on his website that Home Depot may be the source of a “massive” trove of debit and credit card information that went on sale in the “cybercrime underworld.”
Home Depot spokeswoman Paula Drake said Wednesday that “our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning. … There is no higher priority for us at this time.”
If payment data were stolen, Home Depot would join a pack of other companies – including Michaels, Neiman Marcus, P.F. Chang’s and Target Corp. – that have been targeted by hackers who made off with debit and credit card information from customers.
Security experts say large companies can never completely shield themselves against cybercriminals, but many can improve their odds by focusing more attention on closing loopholes in their system.
“The reality we live in today is any company is breachable,” said Aleksandr Yampolskiy, chief executive of SecurityScorecard Inc., which rates businesses on the level of their security. “If someone is determined enough, they can hack into any company. And for the biggest companies, it’s nearly impossible to secure all of the weakest links.”
As a safeguard, some U.S. retailers have said they will adopt cards with embedded chips that many other countries use in place of cards with magnetic strips that store personal information, which can be more easily counterfeited.
In the past, the high cost of this EMV system – named for its developers: Europay, MasterCard and Visa – has prevented wide adoption by U.S. companies. Instead, credit companies created the Payment Card Industry Security Standards Council in 2006 to push for better protections against consumer data theft.
Many hackers have targeted U.S. companies because they make easier targets than their European counterparts, security analysts say.
“The U.S. has not implemented chip-and-pin, so it’s the low-hanging fruit,” said Nick Economidis, an underwriter at Beazley, which provides insurance for breach response. “There seems to be a general consensus a lot of that fraud has been moved to the U.S.”
But implementing EMV will take years, and some retailers are balking at spending the billions of dollars it will take to replace their current point-of-sale technology. In the meantime, many retailers aren’t doing all they can to prevent hacks, experts say.
Yampolskiy of SecurityScorecard said his company has given Home Depot a C rating for its overall security. Wal-Mart Stores Inc. and Costco Wholesale Corp. both have B ratings.
Home Depot takes about 1.3 days to clean up malware in its system, compared with the retail industry’s average of one day, he said. Hackers have been chattering online about vulnerabilities on the Atlanta retailer’s website since 2008.
“All the signs were there that they weren’t doing enough for security,” Yampolskiy said.