Home Depot breach hits 56 million cards. Why do hacks keep happening?

Home Depot announced 56 million of its customers likely had their credit card information stolen in one of the largest data breaches in history. Why do these breaches keep happening, and what is being done to protect your information?

Toby Talbot/AP/File
Shoppers walk through the aisles at the Home Depot store in Williston, Vt. on Feb. 22, 2010. The Home Depot on Thursday, Sept. 18 said it has eliminated malware from its U.S. and Canadian networks that affected 56 million unique payment cards between April and September.

The data breach at Home Depot could be the biggest in history, and is the latest in a string of breaches that have customers asking why businesses aren't doing more to protect their data.

Home Depot announced Thursday that 56 million cards might have been compromised in an attack between between April and September of this year. The breach affected stores in the US and Canada. 

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” Frank Blake, Home Depot’s chief executive, said in a statement. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.” 

The breach is the latest in a long series of high profile attacks on retailers, including Target, Neiman Marcus, Supervalu, Dairy Queen, and P.F. Chang’s China Bistro. Why do these breaches keep happening, and what is being done to protect your information? Read on for a few answers. 

Where is the data being stolen?

The breaches at Home Depot and Target, the two highest profile cases, were point of sale (POS) attacks. In both instances, someone was able to install malware in the company's payment system and then able to capture information when shoppers swiped their credit cards. 

POS attacks accounted for 31 percent of all breaches between 2011 to 2013, according to Verizon's 2014 Data Breach Investigations Report. 

Why is it so prevalent?

Most businesses have only basic security in place. All business that wish to accept credit or debit cards must meet standards set by the Payment Card Industry (PCI). But PCI compliance can only do so much to protect the data. 

“It is possible to be PCI compliant and still be hacked," Stephen Cobb, senior security researcher at ESET, told The Christian Science Monitor in early September [LINK?]. He made the case that attacks keep happening because businesses don't go beyond minimum requirements. “There is a lot of discussion about updating the standard, and a lot of people in security are saying ‘having a standard in compliance isn't being secured.'"

For those who do invest in extra security, some experts argue they could be buying the the wrong type. “Most of the resources are invested to protect the permitter. The thinking is, if you put a high enough wall, then you are protected. That used to be true once, you just needed to be safer than other businesses,” says Michael Mumcuoglu, chief technology officer of the Israeli-based security firm LightCyber, adding that businesses need to invest more into knowing when there is a breach to quickly deal with the problem.

 “[Businesses] must spend more money for detection and response. You can’t just try to protect yourself from attack,” he says. “They need to shift the focus to a more holistic approach that doesn’t only look at what is bombarding them from the outside. They need to look at what is happening inside the network.”

What is being done to protect customers?

With the traditional magnetic strip credit card, hackers are able to make fake credit cards using the stolen data. The credit card can be used like a normal card. But many credit card companies are now moving to a chip-and-pin system. Chip-and-pin cards have an embedded microchip that  prevent hackers from being able to make faux credit cards. 

"The idea is that it enables the information to be read off a secure chip on the card," John Pironti, risk and security advisory at ISACA, told CBS News. "It has to be present for the transaction, and the card number itself is never released to the provider."

Chip-and-pin cards are held by millions of Americans, but there is a major problem–  oftentimes, customers can’t use them. Businesses must install new point of sales systems to accept these cards, but, thus far, US merchants have been slow to do so because of the cost. 

“The problem with security is that it is like insurance," Phil Montgomery, executive vice president of Identiv, a security firm, told the Monitor in September [LINK]. It is something you have to invest in up front, and the attack may or may not happen. It’s hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.”

Walmart and Target are the only two major retailers to unveil the new system in the US, but that could soon change. New credit card standards go into effect in October 2015, and they will change who is liable for data breaches. While businesses won’t be forced to accept chip-and-pin cards, those who don’t accept them will now be held liable for breaches.

Home Depot said it will unveil a new chip-and-pin system by early 2015, only in Canadian stores.

Another level of protection comes in the form of the new Apple Pay system, announced by Apple last week. iPhone 6 users will be able to upload their credit card information onto their phones and then use their phone to pay for purchases. The credit card is more secure for two reasons: Apple doesn’t store the card’s information on its servers and the stores never get access to the cards information. Instead, Apple gives the store a one-time use password that the store uses to get its payment. 

Still, only time will tell if Apple Pay is as secure as it claims.

What can customers do to protect themselves?

Experts say the best thing customers can do is watch their credit card statements for fraudulent purchases. When a fraudulent charge appears, customers should call their banks as soon as possible.

Many experts are also pushing customers to demand that businesses invest in infrastructure that makes their data more secure. 

“To get business owners to pay attention is a challenge,” Lee Plave, a lawyer with the Virginia-based Plave Koch PLC, told The Christian Science Monitor in early September. “[People] have to convince them that it’s something they have to change.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.