[BreachExchange] Companies Must Be More Transparent About Security Moving Forward

Tue Mar 21 18:55:45 EDT 2017

https://cloudtweaks.com/2017/03/companies-transparent-security/

You may remember, Home Depot was affected by a sizeable data breach in
2014. The incident is widely considered one of the largest point-of-sale
heists of all time because over 56 million credit cards were involved, read
and compromised. Needless to say, it led to an unprecedented amount of
customers affected by such a breach.

Home Depot became aware of the breach in early September of that year and
quickly acted to remove “unique, custom-built malware” from infected
point-of-sale systems. It had been collecting credit and financial
information about customers who were buying products from the popular DIY
store and completing transactions through self-checkout lanes.

In this situation, consumers swiped their credit cards, their info was
collected, stored and compromised. Hackers will notoriously sell lists of
personal information, including credit card data, on the black market.

One thing we’re still learning from the attack is that security is nothing
to be taken lightly. It’s going to cost the company well over $179 million
to pay for damages incurred during the breach, not including legal fees and
additional payouts that might happen.

This, is on top of $134.5 million that Home Depot has already paid out to
Visa, MasterCard and a variety of banks. Plus, there were additional
consumer-related lawsuits from the breach that customers filed to protect
their own interests.

All that money? It’s going to banks and financial institutions that had to
deal with the brunt of the attacks on customers’ data. Any banks that filed
claims will receive $2 per compromised payment card, and they don’t even
have to prove their losses. This matters, because they may have already
received compensation for losses from another party. So, essentially,
they’re getting double the reimbursement cost.

But that’s not all. For institutions that prove their losses, they may be
awarded up to 60% of their uncompensated costs in a “documented damages
award,” all of which can be seen in settlement documents.

It’s no secret that credit unions, affected banks and their members were
most damaged by the lax security standards the merchant had in place. It
calls into question who is responsible when something like this happens.

Clearly, Home Depot didn’t do everything they could to protect the
associated data, and now they’re paying for the costly mistake.

Home Depot Must Be Transparent About Security Going Forward

One stipulation set forth in the settlement is that Home Depot needs to
work on their data security by doing some risk assessment and then taking
the necessary steps to lock down any vulnerabilities or weaknesses.

The settlement requires them to conduct and facilitate annual reviews of
service providers and vendors who have access to payment and financial
information. They must also come up with a valid security-control framework
that protects both customers and financial institutions from further losses.

It’s likely they will now implement a more secure point-to-point encryption
(P2PE) strategy, using something like 2048-Bit RSA Encryption. This is an
incredibly secure data standard that can be used to protect information in
the payment industry.

Encryption locks data behind a unique passkey by making it unreadable
without it, and it cannot be deciphered — known as decrypted — without the
appropriate key. With encrypted databases, it doesn’t matter if hackers
breach the system and steal it. Unless they can crack the encryption or
have the key, they cannot read the data.

Considering the amount of money Home Depot is now doling out to amend for
its mistakes, boosted security is something they will certainly be looking
into. It’s also something the rest of us should be looking into for our
personal bank accounts and online payment processing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170321/7a72aff5/attachment.html>