Home Depot under fire for data breach notification
US retailer Home Depot criticised for delays in telling customers their payment card details may have been compromised
US retailer Home Depot has come under fire for delays in notifying customers that their payment card details may have been compromised.
A suspected breach that has been under investigation since early September 2014 was publicly confirmed on 18 September, but affected customers are unhappy about the company's delay in notifying them.
Customers say they should have been notified sooner than three days after the retailer confirmed that a cyber attack compromised about 56 million payment cards.
The email confirmed news of the breach, but said there was no evidence that debit PIN numbers were compromised or cheques affected.
The email said there was no evidence that the breach had affected stores in Mexico or customers who shopped online at HomeDepot.com.
The email said Home Depot is offering customers 12 months of free identity protection services and credit monitoring, but referred customers to its website for more information.
“We apologise for the frustration and anxiety this may cause you and we thank you for your patience during this time,” the retailer said.
READ MORE ABOUT DATA BREACHES
- Racing Post warns users of website breach
- Lakeland warns customers of potential data breach
- Target data breach creates poor retail customer experience
- The ICO issues BYOD warning after breach
- 2013 Cost of Data Breach Study: UK
- London council gets £70,000 penalty for data breach
- EU data breach disclosures to be enforced soon
- Another online firm hit by data breach
Lack of information
The offer is open to customers who used a payment card at a Home Depot store from April 2014 onwards.
The email concludes by saying: “We hope this information is useful and we appreciate your continued support.”
But some customers have expressed frustration about the lack of useful information in the email, reports Mashable.
“Home depot notification email has almost zero actionable info. They were "breached"; what that means left completely unsaid,” one customer tweeted.
Home Depot said in a statement that the emails "started going out on Friday as part of the standard notification process", but that they are being sent out "in batches to ensure they flow smoothly".
This explains why some customers only received it on Sunday, said Mashable.
In confirming the breach, Home Depot said the attackers used “unique, custom-built malware” to evade detection.
“The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” the retailer said.
Traditional defences insufficient
Steve Hultquist, chief architect at analytics firm RedSeal Networks, said: “Home Depot's commentary about the sophistication of the attack should put to rest all of the assumptions about traditional defences: they are obviously not enough.
“The complexity of systems and networks today, together with the speed of innovation and change, mean that enterprises must change the way they think about defending themselves. They have to know all the potential access into and out of their network before the attackers find them,” said Hultquist.
In recent months, data breaches have been reported by large US retailers Target, Neiman Marcus, Sears, Michaels and Supervalu, affecting millions of US cardholders.
Steven Ransom-Jones, senior consultant at security firm Neohapsis, said : “One thread that is common to a number of breaches is the lack of configuration monitoring on dedicated devices, such as point-of-sale terminals.
“The payment card industry requires the use of file integrity monitoring to detect unauthorised changes to servers that run in the cardholder processing environment.
“The intent of this control is to stabilise a secure processing environment and identify the effects of changes, whether it is by malware or direct intervention - either by a hacker or an administrator circumventing a change management process,” he said.
Ransom Jones said that, because payment terminals are dedicated to a single purpose, changes on these devices should be infrequent and managed through an appropriate management process and testing cycle.
“In this environment, integrity monitoring would be an extremely effective control: Any change should be considered as suspicious and investigated immediately,” he said.