Home Depot hack reveals a dangerous trend

A series of large and high profile hacks across the world in August have resulted in the worst single month for data breaches in history.

And now, not even halfway into September, we are witnessing what is expected to be the largest single data breach in corporate history at Home Depot, the home improvement chain with 2,000 outlets across North America.

There is a simple trend at work here. Large-scale data breaches are no longer the rare black-swan event they used to be. And going forward, such large scale breaches are more likely to occur than ever before. This is the geometric consequence of the increased appeal of cybercrime for aspiring hackers and the large returns that this form of crime can generate for relatively low effort.

The more connected we are as a global community, the more careful we must be about the security of sensitive data. The new reality is that data security is critical to the integrity of our global financial systems and our everyday lives.

These massive and interconnected electronic systems ultimately are based on trust -- hard to earn, easy to lose.

Data breaches are extremely costly. The damage to reputation is immense, perhaps immeasurable. The direct costs are enormous. And of course there is the cost of the actual credit fraud that can results from a breach. Certainly Target in the United States is still counting the cost of a data breach it confirmed in December last year in which it acknowledged the loss of 70 million records. Target says it has spent more than $US148 million on remediation work directly related to that single breach.

I am currently in Orlando, Florida attending the Payment Card Industry’s (PCI) largest security conference. Whilst in town I visited a Target outlet and noticed the store was using brand new, chip-enabled payment card terminals. These new terminals -- which shut the gate after the horse was long gone -- are a part of the expensive response as the company rolled-out new and better security infrastructure.

The Home Depot data breach is now the hot topic in the corridors of the PCI conference, which is full of payment security experts from all over the world. The consensus is that the Home Depot hack will likely become the largest credit card data breach in history based on how many months that malware went undetected on their systems, and the potential for thousands of stores to be affected.

The cyber-criminals who attacked Home Depot used a variant of the same malware used in the Target data breach - a nasty piece of rogue code that skims credit card details from POS systems.

The company has confirmed that the breach is believed that to have affected transactions across its North American stores since April. It is still determining the full scope, scale and impact of the breach, but has said it believes credit card details have been skimmed on transactions for months.

Unsurprisingly, Home Depot immediately announced it was accelerating its payment terminal upgrade program, which it expects to complete by the end of the year, rather than late 2015 as previously planned.

Needless to say the Home Depot breach has captured everyone’s attention within broader information security industry.

In contrast to the Home Depot situation, many breaches of personal data are never made public. This is certainly true in Australia, where there is no requirement for a company that has suffered a security breach to inform its customers.

This explains why so few Australian companies are publicly referenced to have suffered a database breach. It also explains why Australian businesses are not making data security a priority. There is a perception that being located far away from where the current major hacks are happening somehow makes us immune from sophisticated and damaging attacks.

Enforcing the mandatory reporting of data breaches in Australia would be a positive thing. It is not simply that such regulation gives some control back to the consumer, allowing them to take control of their personal data in the event of a breach. This may be as simple as allowing them to change their PIN or password in a timely fashion.

It also goes to the heart of the trust issue. Mandatory reporting requirements has been on and off the government agenda in recent years. It was on the legislative agenda last year, but has been on ice since the Abbott Government was elected.

However, the David Murray-chaired Financial Service Inquiry indicates in its interim report notes that if consumers don’t trust the handling of personal information, the financial system could be severely impeded.

The mandatory reporting of data breaches won’t make the technical challenge of locking down data against sophisticated cyber-criminals any easier. However, it will certainly focus the attention of the companies that are not adequately protecting their customer’s personal information.

No-one wants to be the next Home Depot, or Target. It is simply too costly to contemplate.

Stephen Cavey is Co-Founder and Director of Corporate Development at Ground Labs, the global leader in data discovery software for business.