Experts say Home Depot data breach widespread

Company investigating


Richmond-based Risk Based Security tracks data breaches and reports for the first six months of 2014:

• There were 1,331 incidents reported, exposing 502 million records that range from passwords to credit card numbers.

Compare that to total number of breaches in:

2010 — 952

2011 — 1,236

2012 — 3,193

2013 — 2,261

So far this year:

• Three incidents have made the top 10 all time breach list.

• Two hacking incidents alone exposed a combined 318 million records.

• One act of fraud exposed 104 million records.

• The business sector accounted for 54.9% of reported incidents, followed by government (16.1%), unknown (11.8%), education (8.7%), and medical (8.5%).

• 78.2% of reported incidents were the result of hacking, which accounted for 78.7% of the exposed records.

Cyber security experts said indicators point to a massive data breach at The Home Depot that could cost the company many millions of dollars and customers as the retail giant continued Wednesday to insist it was still investigating whether data had been stolen.

It has the potential to be bigger than Target’s massive data breach last year, said Efraim Levy, an analyst with S&P Capital IQ. Home Depot has more stores than Target, which has paid out $148 million so far for its 2013 breach.

Evidence of a Home Depot security hack mounted late in the day Wednesday when blogger Brian Krebs, who first reported the company’s suspected breach on his website KrebsOnSecurity, said new information from sources suggests an attack that hit almost all Home Depot locations.

Home Depot has 1,977 stores in the United States, 180 in Canada and 106 in Mexico.

Target’s breach, which occurred during last year’s holiday season, is considered a benchmark. It cost the company — which has 1,793 U.S stores and 124 in Canada — netted data thieves 40 million debit and credit card numbers and helped lead to the ousting of the retailer’s chief executive officer.

Target “saw more people pay in cash in their stores or simply go elsewhere” after the breach, Levy said.

Corporate data breaches are becoming increasingly frequent as businesses centralize user information in computers. No industry has been immune, with targets varying from Athens-based Zaxby’s to credit giant J.P .Morgan, tech retailer Best Buy and second-hand store operator Goodwill.

Hoping to get out in front of the story, Atlanta-based Home Depot posted information on its website Wednesday saying customers would not be responsible for charges made on their credit cards if a breach is confirmed, and that it would pay for customer credit monitoring if there was a breach.

“Our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning, working with leading IT security firms, including Symantec and FishNet Security, in that regard,” Home Depot said in a statement. “There is no higher priority for us at this time than to rapidly gather the facts so that we can provide answers to our customers. We know these types of incidents can cause frustration and concern and we apologize for that.”

Cyber security experts said Home Depot’s cautious but proactive strategy is a clear signal the company is trying to make sure it knows the depth of a breach before making an announcement. Getting that right is critical because consumers have demonstrated that they will abandon a chain they feel can’t protect their identity.

“That’s the takeaway from the Target debacle,” said Tim Mescon, an analyst and president of Columbus State University. “Companies need a swift response and to communicate that they are on it and will be relentless in addressing the issue.”

Home Depot has taken steps to better protect consumer information. The retailer has aggressively rolled out point-of-sale systems that can read credit cards with chip and PIN technology that is more difficult to hack than the current magnetic strips on the back of the cards. But many American credit card companies have been slow to issue the cards. (See accompanying article.)

Inga Goddijn, executive vice president and managing director for Risk Based Security, said it will take Home Depot time to complete the investigation, so it may be early to draw conclusions. But on the surface, she said, it appears the breach could be serious.

For businesses, the question is no longer if there will be a security breach, but when and how to handle it, said David Barton, managing director of consulting firm UHY Advisors. Technology has paved the road for 21st century commerce, making it easy and fast. The cost, however, is opening up avenues for cybercriminals to access information.

“It’s the cost of doing business,” he said. “Credit cards are today’s easiest medium of exchange.”

How quickly companies are legally required to report a breach and the amount of information they provide vary by state, the experts said. That has an impact on protections for consumers and determines how quickly they can act. Such laws are weaker in Georgia than in other states, Barton said.

“We’re pretty much a ‘caveat emptor’ (let the buyer beware) kind of state,” Barton said.

Corporations often don’t know they have been hacked until banks or the credit card giants notice spending patterns that raise red flags, the security experts said. By that time it can be too late.

Hackers “are pretty smart and they know what they are doing,” Goddijn said. “In some situations, they can be in and out.”

Other times they may be in a system for long periods.

Benn Konsynski, an Emory University cyber security expert and information systems professor, said the size of the breaches is troubling.

“It says that this information has accumulated in single repositories and is accessible,” he said. “Our practices are 20th century while we in the 21st century. The bad guys are operating with 21st century tools.”

Scott Mitic, a senior vice president of Equifax, said the depth of a potential Home Depot breach will depend on what was actually lost.

If it is limited to customer payment information, then the only consumer concern should be about having a specific credit card compromised.

“When you start to lose much more information, that is when we start to worry,” Mitic said. “But that is unlikely for Home Depot — that complete identity credentials could have been lost. Your identity is a combination of ingredients. The more complete picture of you they get, the more danger you are in and the more vulnerable.” The thieves “have just a fraction.”

“That is the good news. The bad news is that this is an inconvenience and a hassle to have to replace your credit card,” Mitic said. “It is a loss in time and energy. But in most cases, it will not be lost dollars.”