Home Depot breach hits 56 million cards. Why do hacks keep happening?

Home Depot announced 56 million of its customers likely had their credit card information stolen in one of the largest data breaches in history. Why do these breaches keep happening, and what is being done to protect your information?

Toby Talbot/AP/File
Shoppers walk through the aisles at the Home Depot store in Williston, Vt. on Feb. 22, 2010. The Home Depot on Thursday, Sept. 18 said it has eliminated malware from its U.S. and Canadian networks that affected 56 million unique payment cards between April and September.

The data breach at Home Depot could be the biggest in history, and is the latest in a string of breaches that have customers asking why businesses aren't doing more to protect their data.

Home Depot announced Thursday that 56 million cards might have been compromised in an attack between between April and September of this year. The breach affected stores in the US and Canada. 

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” Frank Blake, Home Depot’s chief executive, said in a statement. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.” 

The breach is the latest in a long series of high profile attacks on retailers, including Target, Neiman Marcus, Supervalu, Dairy Queen, and P.F. Chang’s China Bistro. Why do these breaches keep happening, and what is being done to protect your information? Read on for a few answers. 

Where is the data being stolen?

The breaches at Home Depot and Target, the two highest profile cases, were point of sale (POS) attacks. In both instances, someone was able to install malware in the company's payment system and then able to capture information when shoppers swiped their credit cards. 

POS attacks accounted for 31 percent of all breaches between 2011 to 2013, according to Verizon's 2014 Data Breach Investigations Report. 

Why is it so prevalent?

Most businesses have only basic security in place. All business that wish to accept credit or debit cards must meet standards set by the Payment Card Industry (PCI). But PCI compliance can only do so much to protect the data. 

“It is possible to be PCI compliant and still be hacked," Stephen Cobb, senior security researcher at ESET, told The Christian Science Monitor in early September [LINK?]. He made the case that attacks keep happening because businesses don't go beyond minimum requirements. “There is a lot of discussion about updating the standard, and a lot of people in security are saying ‘having a standard in compliance isn't being secured.'"

For those who do invest in extra security, some experts argue they could be buying the the wrong type. “Most of the resources are invested to protect the permitter. The thinking is, if you put a high enough wall, then you are protected. That used to be true once, you just needed to be safer than other businesses,” says Michael Mumcuoglu, chief technology officer of the Israeli-based security firm LightCyber, adding that businesses need to invest more into knowing when there is a breach to quickly deal with the problem.

 “[Businesses] must spend more money for detection and response. You can’t just try to protect yourself from attack,” he says. “They need to shift the focus to a more holistic approach that doesn’t only look at what is bombarding them from the outside. They need to look at what is happening inside the network.”

What is being done to protect customers?

With the traditional magnetic strip credit card, hackers are able to make fake credit cards using the stolen data. The credit card can be used like a normal card. But many credit card companies are now moving to a chip-and-pin system. Chip-and-pin cards have an embedded microchip that  prevent hackers from being able to make faux credit cards. 

"The idea is that it enables the information to be read off a secure chip on the card," John Pironti, risk and security advisory at ISACA, told CBS News. "It has to be present for the transaction, and the card number itself is never released to the provider."

Chip-and-pin cards are held by millions of Americans, but there is a major problem–  oftentimes, customers can’t use them. Businesses must install new point of sales systems to accept these cards, but, thus far, US merchants have been slow to do so because of the cost. 

“The problem with security is that it is like insurance," Phil Montgomery, executive vice president of Identiv, a security firm, told the Monitor in September [LINK]. It is something you have to invest in up front, and the attack may or may not happen. It’s hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.”

Walmart and Target are the only two major retailers to unveil the new system in the US, but that could soon change. New credit card standards go into effect in October 2015, and they will change who is liable for data breaches. While businesses won’t be forced to accept chip-and-pin cards, those who don’t accept them will now be held liable for breaches.

Home Depot said it will unveil a new chip-and-pin system by early 2015, only in Canadian stores.

Another level of protection comes in the form of the new Apple Pay system, announced by Apple last week. iPhone 6 users will be able to upload their credit card information onto their phones and then use their phone to pay for purchases. The credit card is more secure for two reasons: Apple doesn’t store the card’s information on its servers and the stores never get access to the cards information. Instead, Apple gives the store a one-time use password that the store uses to get its payment. 

Still, only time will tell if Apple Pay is as secure as it claims.

What can customers do to protect themselves?

Experts say the best thing customers can do is watch their credit card statements for fraudulent purchases. When a fraudulent charge appears, customers should call their banks as soon as possible.

Many experts are also pushing customers to demand that businesses invest in infrastructure that makes their data more secure. 

“To get business owners to pay attention is a challenge,” Lee Plave, a lawyer with the Virginia-based Plave Koch PLC, told The Christian Science Monitor in early September. “[People] have to convince them that it’s something they have to change.”

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.