As Home Depot scrambles to determine the scope and scale of a potentially massive breach of its customers' data, the retailer's troubles underscore the challenges facing retailers and card issuers attempting to gird themselves against cybercriminals.
In the wake of a breach at Target last December that exposed the credit card information of 40 million customers and the personal data of millions more, the industry pledged to move quickly and aggressively to protect customer data. But experts say the latest breach shows that many retailers likely remain vulnerable to hacks.
"The biggest challenge in today’s environment is the hackers are getting better," said Chuck Winter, a consultant with North Highland Co. who has developed information technology strategies for retailers. "We've seen the complexity of the retailers' technology platforms make it challenging to completely secure their total environment."
On Tuesday, a coalition of state lawmakers announced that they would be investigating the Home Depot breach. Meanwhile, Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) sent a letter to FTC chairwoman Edith Ramirez asking the agency to probe the hack at Home Depot.
“We are concerned that the retailer’s procedures for detecting and stopping operations to steal customer data are inadequate and we call on the Commission to investigate whether Home Depot’s security procedures meet a reasonable standard,” the senators wrote.
Home Depot has not said how many customers may have been affected by the breach. But given that it may have lasted several months, experts say it could be more wide-reaching than the one last year at Target.
One key way retailers and card issuers have been working to fight the problem is to update payment card technology. In the U.S., most cards have magnetic strips, which are thought to be less secure than a type of card often used overseas, known as "chip and PIN." With magnetic strip cards, there is a brief moment when card information is left unencrypted on a retailer's network as the transaction is carried out, giving a hacker an opening to scoop up the data.
Experts say that the shift to chip and PIN technology has not been especially swift because it is time-consuming and expensive: Retailers must overhaul their point-of-sale and back-end software systems, while card companies must issue new cards that are more costly to produce.
"On the issuing side, we’ve got the largest and most diverse payments marketplace in the world," said Randy Vanderhoof, director of the EMV Migration Forum, a group that works to promote the switch to chip and PIN. "We’ve got over 1.2 billion payment cards in the marketplace, so getting all of those cards converted to chip is not a simple task."
Home Depot was in the process of adding chip and PIN technology in its stores and has said it still plans to complete its migration to that technology by the end of next year.
While chip and PIN technology might help safeguard customer data, experts say it is hardly a silver bullet in fighting data theft.
"What we know from other markets is that when markets start to lock down with chip technology, often times the fraud migrates” to ATM transaction or online purchases, said Carolyn Balfany, MasterCard's group head for U.S. product delivery.
Experts say there are other barriers that may leave major retailers and other targets at risk.
Art Gilliland, senior vice president and general manager of Enterprise Security Products at Hewlett Packard, says cybercriminals only need to break in once to be successful. Because of that, he says that there needs to be a shift from threat prevention to incident response and mitigation.
Tom Kellermann, the chief cybersecurity officer at IT security firm Trend Micro, agrees. “Current standards of security for these large organizations are very perimeter-focused and don’t deal with the level of attacks that are going on in the market,” he says.
When there is a focused adversary, it is going to get in, Kellerman said. Like Gilliland, he believes companies should focus on identifying and neutralizing threats once a breach has occurred. “The paradigm has to shift from castles to prisons – you have to make them more resource constrained when they get into your house.”
“People need to be paying a lot more attention to the behavior of accounts within their own networks,” says Trey Ford, global security strategist at cybersecurity firm Rapid7.
Gilliland agrees that companies need to keep a better eye on movements on their systems, but warns that there are limits to how much you can lock up your internal networks while maintaining functionality for users: The sort of internal flexibility that may make it easier for attackers to explore systems may be the same structure that enables internal innovation in employees or provides convenience for customers.
Breaches also take significant time and resources to investigate once they occur. "Security teams don’t have unlimited budgets -- they have finite budgets and finite manpower," says Ford.
"These type of investigations take time," he explains, noting that researchers often have to work through multiple scenarios and sift through mountains of data to determine how systems were infiltrated and navigated.
Information sharing is a key strategy for reducing risk throughout individual ecosystems, and two major industry groups launched efforts in the wake of the Target breach so that retailers could better share information about potential threats. The Retail Industry Leaders Association founded the Retail Cyber Intelligence Sharing Center (R-CISC), which includes stores such Gap, J. C. Penney, Nike and Target. In April, the National Retail Federation announced the creation of its own information-sharing platform, which the group's senior vice president and general counsel, Mallory Duncan, describes as a list-srv for exchanging threat information.
Still, industry experts say there remains a significant lag between when incidents are uncovered and when that information is made available to the larger cybersecurity community. "What I find challenging as a practitioner is the lack of details from breaches, small and large" says Ford. Often, he says, "companies maintain silent on many details for their own operational security." And when they do, he argues, they're "effectively dooming other organizations to the same fate."
The recent cybersecurity sharing efforts from the retail industry come many years after the financial-services industry took similar steps to guard against cyber attacks. When asked why this idea had not gained traction in the retail industry earlier, Duncan said it was likely because the need didn't feel as urgent for retailers.
"The answer is: The bad guys know where the valuable information is, and more valuable information is inside a bank," Duncan said. "Most retailers don’t have your Social Security number. They don’t have your mother’s maiden name."
Without those pieces of information, thieves can only take advantage of your data for the short window of time before you notice suspicious activity and cancel your card.
Home Depot said Monday that a hack of its payment systems could affect customers who used credit or debit cards in its U.S. and Canada stores since April. The company began investigating the possibility of a breach last week after law enforcement officials and members of the banking industry alerted it to unusual activity.
The company has said that consumers will not be responsible for any fraudulent charges. But there are non-financial costs associated with identity theft -- like the time of having to switch over cards and associated automatic payments, or headaches that could be caused by trying to clear your name of fraudulent activity.