Home Depot Breach Paper

Introduction – Overview of The Home Depot Case Study

This analysis will explore The Home Depot data breach which occurred on Sept 8th, 2014, one of the nation’s largest security retail compromises of that time. The Home Depot, with over 2,200+ stores in the United States, Canada and Mexico, suffered a historic cyber-attack of significant proportions. The breach was devised by skilled hackers who developed an unknown custom malware that penetrated their payment systems and stole over 56 million credit cards and email addresses from millions of customers. In my research of this case, it was difficult for me to comprehend that the world’s leading home improvement retailer could be so careless given this breach occurred less than a year after the Target data breach in December 2013. This evaluation of The Home Depot will examine the company’s discovery of the breach, their response to customers, improved data security measures, and finally the outcome including present day findings

on where they are today. I was very interested in researching this topic, especially since I was a customer of Home Depot at the time of the breach and felt it really impacted me on a personal level. I hope you enjoy my analysis.
Case Study Questions - Breach Discovery & Home Depot’s Response
When the data breach was discovered by the Secret Service and Homeland Security on Sept 8th, 2014, The Home Depot found out it had been happening under their noses for over 5 months starting back in April of 2014. Other companies such as Target and Neiman Marcus had also recently experienced data breaches around the same time. Hackers, likely of the “Black Hat” variety (specialize in hacking IS systems), installed Malware (short for Malicious Software) on Home Depot’s payment system (POS system) which went undetected due to it being the first of its kind. The malware virus crept into their payment system stealing data from millions of customers while sending it to their remote server. The breach occurred when hackers somehow acquired login credentials from a Home Depot vendor and gained access to their payment system. It’s even been speculated that these may have been the same cyber criminals who hacked into Target’s system months prior.
(J.C. Perlroth, 2014) from the New York Times indicated employees stated a concern with Home Depot’s payment systems in that they were trying to save money by using old outdated antivirus software and they did not conduct regular security audits of their systems which left them more exposed to the attack.
Although Home Depot was initially careless in protecting data security, they seemingly took quick action and steps in correcting the security problems after the fact. For example, they reached out to customers who were impacted by letting them know the situation had been contained. They also contacted the banks to have them reissue all the compromised credit cards and they even offered free identity theft and credit monitoring services to these victim’s. Home Depot also took measures to upgrade their payment systems to include installing data encryption - which essentially mixes up the credit data into an unreadable format that hackers cannot access.
(Home Depot, 2014) stated in a press release that they were also going to be launching “EMV Chip-and-Pin” technology as a further layer of protection in securing customer’s data and they would make sure to get this new technology in place before the industry deadline.
EMV means Europay, MasterCard, Visa - who were the first merchants to develop this type of technology. Chip-and-PIN is essentially the method by which the merchant processes the payment. All credit cards in the United States should have chip and signature technology but I’ve noticed some smaller merchants have been slow to implement chip technology readers in stores, likely due to cost. Some smaller local businesses are still having customers swipe their cards, even if they appear to have chip reader’s installed. Why? My views on chip readers are that they seem a little clunky, slow to process and I often find myself having to resubmit my card into the chip reader again because something went wrong in the transaction. Perhaps its user error.
Conclusion – Home Depot Strengths in the Aftermath
Presently, The Home Depot still maintains its strength of being the largest home improvement retailer and the breach of 2014 appears to not have hindered their success.

Their stock prices have continued to rise even during recessions and the data breach. The Home Depot continues to surpass its competitors such as Lowes, and is widely known for their diversification in the industry. I shop at Home Depot for this reason - buy anything online & pick it up in stores.

(Tara T. Seals, 2017) As of March 2017, Info Security Magazine stated that The Home Depot settlements of the data breach are up $179 million and counting but portions are being paid by their insurance company. They went on to report that: “Home Depot agreed to track and manage its data security risk assessments using a risk-exception process, conduct annual reviews of service providers and vendors that have access to payment card information, and create a security-control framework. The retailer also implemented enhanced

encryption”
In closing, The Home Depot appears to have learned from their mistakes and has ultimately taken steps to implement a more comprehensive security plan as stated above. I only wish that other companies such as Equifax would have learned something from this tragedy. To date, Equifax’s recent breach (Sept 2017) now outshines The Home Depot as being the most significant breach in history, impacting more than 143 million people’s social security numbers and personal data, myself included. I’m certain that The Home Depot is thankful to be back on track and that the negative data breach attention is on someone else, at least for the time being.