Home Depot Data Breach
Background on the 2014 Home Depot Data Breach
Home depot was the target of a cyberattack on their information system infrastructure that lasted from April of 2014 to September of 2014. As a result of the attack and following data breach, 56 million credit-card accounts and 53 million email addresses were stolen. (“Home Depot Hackers Exposed 53 Million Email Addresses”) The cyberattack involved several steps. First, the attackers gained third party credentials allowing them into the system. Next they exploited an unknown weakness in the system that allowed for the attackers to elevate their own access privileges. Finally, they installed malware on Home Depot’s self-checkout systems in the U.S. and Canada, allowing for the data to be stolen.
Because this was a multistage attack, there were several stages of failures. While this shows that there were multiple lines of defense, the fact that there were multiple failures as well is a large issue. It demonstrations that even with multiple lines of defense Home Depot was still not adequately protected. The first failure was that the attackers acquired credentials from a third party vendor. This may not have been Home Depot’s fault directly, but there are still governance processes they could’ve employed to prevent it. Once the attackers were in the system they exploited yet another vulnerability that allowed themselves to elevate their access rights. The third vulnerability that was exploited was the lack of anti-intrusion software that allowed the installation of malware. (“Home Depot Breach Expands, Privilege Escalation Flaw to Blame”)
In the year prior to this most current data breach, Home Depot suffered two smaller cyberattacks. In the aftermath, security contractors urged the company to strengthen its security measures by activating an unused feature of its security software, a Symantec product called Endpoint Protection. This unused added line of defense would have provided an additional layer of protection to the retail terminals where customers swipe their cards. (“Home Depot Hacked After Months of Security Warnings”).
The Effects of the Breach are Significant and Wide Reaching The data breach at Home Depot is current because the breach itself occurred just over one year ago, and the company did not announce their knowledge of the breach until September 2015. Home Depot is not the only large retailer to fall victim to cyberattacks in recent months. Many big merchants, ranging from high-end retailer Neiman Marcus Group Ltd. to grocer Supervalu Inc. to Asian restaurant P.F. Chang’s China Bistro Inc., have been targeted by cyber attackers. (“Home Depot’s 56 Million Card Breach Bigger than Target’s”) Appendix A shows that data breaches in retail industry increase exponentially every year. Based on SafeNet’s Breach Level Index (BLI), 83% of data records from the retail industry were stolen between April and June 2014. 145 million data records that were stolen came from the retail industry. ("The Art of Data Protection » The Real Cost of a Retail Data Breach.") It is noteworthy that the genesis of many of the data breaches are third party vendors. The effects of this breach are clearly significant for both the retailer as well as other parties. Home Depot is affected both financially and otherwise. Home Depot’s management has indicated significant expenses in terms of “legal help, credit card fraud, and card re-issuance costs” following the 2014 cyberattacks to the company. A report by Ponemon Research estimates that Home Depot will spend approximately $194 per compromised record. The costs that the company will incur can be broken down into six different categories: investigation and remediation, notification, identify theft and credit monitoring, disruptions in normal business operations, and lost business. Investigation costs involve those related to examining how and why the data was compromised, and remediation costs relate to the costs incurred to set up safeguards. Home Depot’s pre-tax expense relating to investigation and remediation was $43 million in the third quarter of 2014 alone. Notification costs relate to notifying the relevant individuals, regulators, and media personnel. Simply mailing notification letters, at 49 cents per stamp, equates to a $27.44 million expense. Costs relating to identify theft and credit monitoring include the cost of identity theft protection for each of the victims. Assuming $10 per victim, this results in a $560 million cost for Home Depot. Disruptions to Home Depot’s normal business operations include the opportunity cost of the reduced investments in the company’s operations, as well as reduced time on standard business activities. This cost is estimated to be $20 per victim. Home Depot will likely lose business due to customers being scared away, and the related cost is approximately $30 per victim. Finally, lawsuits relating to the data breach are expected to incur $3 billion in expenses for Home Depot. 44 suits have already surfaced since the cyberattack. (“Home Depot: Will The Impact Of The Data Breach Be Significant”) This is also significant for customers of Home Depot who may have lost their own money due to fraudulent transactions of their credit cards. They also have to deal with the inconvenience of getting a new card, which will likely have to be entered into any website where they’ve purchased something online with their compromised cards. These breaches also have a large effect on financial institutions that issue these cards. They spend time and money to detect when the fraud is happening and attempting to stop charges from going through. They also need to spend money to reissue cards to their customers. This is especially painful for smaller banks and credit unions and their customers. The smaller banks don’t have the same fraud detection and prevention abilities as the larger banks, so they respond by deactivating large and reissuing large batches of cards. The costs of this are often passed to their customers over the long term in the form of higher fees for example. One study estimates that credit unions alone realized a cost of $60 million to deal with this specific breach. (“Home Depot Breach Cost CUs Nearly 60 Million”) There is one more level of significance, and it involves all breaches of this type at retailers. While this incident is only one piece of the puzzle, the rising number of these breaches could lead to increased regulations for retailers. Some have suggested that retailers that deal with this type and this amount of personal financial information be subject to the same regulations as financial institutions such as banks. (“Home Depot Breach Cost CUs Nearly 60 Million”) In the overall economy it seems that retailers are the weak link the same way third party access control was the weak link at Home Depot specifically. (Something about the number of breaches such as these in recent months/years?) According to security experts, “Thefts like the one that hit Home Depot are the ‘new normal.”(“Ex-Employee Say Home Depot Left Data Vulnerable”) This is a troubling statement considering the widespread complacency and reluctance to act by retailers in today’s cybersecurity environment.
There Are Several Realistic Solutions to Home Depot's Weaknesses
Appendix C shows a significant relationship between customer loyalty and retail breaches. Retail data breaches cause significant damage to a retailer’s brand image and the customer loyalty and it ultimately affects to revenue loss. This indicates that it is important to prevent or prepare for data breach incidents. There are several solutions to reduce the number of breaches at Home Depot overall. However, it seems prudent to address the failure in each line of defense individually.
The first issue is third party access. While it isn’t Home Depot’s responsibility to protect its vendor’s data and credentials, it is Home Depot’s responsibility to conduct due diligence and take care when selecting their vendors. “Choosing an assessment vendor: what to look for” suggests some specific solutions to vendor issues. These include careful initial vendor selection assessments, ongoing vendor assessments and requiring updates from the vendors about what they are doing to secure themselves, or even going so far as providing training to vendor employees to combat against phishing or other social engineering tactics (Handler). Additionally, in order to perform effective vendor assessments, a company needs to address in service agreements which is one of the enabling processes of COBIT in the plan phase (“Processes Reference Model”). This is a critical issue considering the number of retailer breaches that come from third party access issues or mistakes. Another solution could be to better educate employees about the danger of phishing attack or social engineering. According to getcybersafe.gc.ca ("Phishing: How Many Take the Bait?"), there are as many as 156 million phishing emails sent out every day. Of those sent out, 16 million emails are estimated to make it through the filter, and 8 million are opened. Refer to Appendix B for more information about phishing. Given these statistics, one can see the importance of preventing these phishing attempts from being successful. Home Depot should consider investing more in security technology that can filter out these phishing attacks. Home Depot should also consider partnering with other retailers on operations eliminating the phishing sites. The second issue is the elevation of access rights. While the exact flaw that allowed the escalation of rights is not known to the public, there are still steps that can be taken to mitigate this risk. More specifically, there are a myriad of compensating controls that could be used in this situation. In “protect your network against elevation of privilege attacks” article, it suggests some ways to reduce the risk of elevation of privilege attacks. Home Depot should implement new change management and access policy management policies. New additions could include the requirement of approvals to escalate rights, periodic access reviews, and after-the-fact spot checks on access rights elevations during the year. Also, avoiding running in Native mode or migrating user to domain is another way to prevent (Posey). Even if these solutions don’t completely prevent a user inappropriately elevating their access, they would ensure that all administrators are highly trustworthy. If a policy such as access reviews caught this escalation sooner there is a good chance that the breach wouldn’t have lasted for 6 months.
The final issue is the installation of malware. Home Depot has stated that this malware was unique and previously unknown. That being said, Home Depot was not utilizing intrusion prevention software that it already had access to, Symantec’s Endpoint Protection. (“Home Depot Hacked After Months of Security Warnings”) This software is specifically designed to detect intrusion and malware such as what was used and is a very good solution to combat this issue. According to Josh Grunzweig, a malware researcher at data analyst Nuix, “Simple tactics go a long way, like keeping track that something new is running, I’d argue that would catch 95 percent of this stuff” (Ben Elgin, Michael Riley, and Dune Lawrence). Even if the software doesn’t detect the specific malware installed, it can still detect other irregularities in the system that could be the cause for alarm; things such as a strange or inappropriate server talking to the checkout registers. That being said, one of the main drawbacks of solutions such as this is that they can produce false positives and identify legitimate software as malware, thereby causing delays and downtime in the system. It also appears that a better risk assessment should have been conducted, and seriously considered. Ex-employees of Home Depot have stated that the firm was slow to raise its defenses, even when given clear warnings of the risks. They employees also said that when they sought new software and training, managers responded with the response, “We sell hammers.” (“Ex-Employee Say Home Depot Left Data Vulnerable”) This kind of management response points towards larger issues, such as company culture that are hard to change with any specific policy.
These Solutions Can Be Audited Relatively Easily The processes for auditing each solution are also varied and thus should be discussed separately. The first solution is careful vendor selection, ongoing vendor assessments, and potentially conducting training. The first step in auditing these processes could be to conduct reviews of the policies for vendor selection and assessment once a year. This review would make sure the selection criteria and assessments are up to date and are actually evaluating vendors on their ability to secure themselves. The next step would be to audit individual assessments that happen throughout the year to make sure they are being completed timely and correctly. For example, if Home Depot signs contracts with 50 new vendors, a sample of the assessments done could be audited to make sure they were completed correctly. Over the years the process of testing sample could be changed to make it more efficient while still providing an acceptable level of risk mitigation. The training is not likely to be put in place because this isn’t exactly Home Depot’s responsibility; it is also a little bit more difficult to audit. Security managers could attest to the fact that the trainings have occurred, but it would be difficult to assess their efficacy, and they are likely to be relatively expensive for the protection they provide. That being said, they are still important. From an audit perspective, to audit for the capability of the system defending against phishing, we can look at the email logs or go through the email from the vendor account to see if unusual emails exist. By doing this, we can have a good assessment of how effective the filter is in term of blocking out spam and malware emails.
The second solution revolves around access policy and change management policies. If Home Depot began requiring approvals for rights elevations, these approvals could be audited on a sample by sample basis, the same way as the vendor assessments. Home Depot could also conduct quarterly or monthly access reviews to see which vendors and users have access to what parts of their system. These things are relatively easy to do in terms of time and resources. They are likely something that most large companies already do. (“The Power of the Quarterly Business Review – QBR”) The third solution is to make sure the firm is utilizing up to date anti-intrusion software. This can be audited over any time period and can be split up into various parts. For example, the firm could conduct an overall environment assessment once a year to determine where their vulnerabilities are. This would be high level, making sure the firm had various protection software in its portfolio to protect against the various kinds of malware. The second part would be on more of ongoing basis where the information security team would be periodically checking to make sure the software in above the environment is actually up to date and running. This is critically important because new malware is constantly being introduced and the software to combat it is constantly being updated.

Appendix A

Source: Gertz, Andrew. "The Art of Data Protection » The Real Cost of a Retail Data
Breach."The Art of Data Protection. N.p., n.d. Web. 09 Dec. 2015.

Appendix B

Phishing: How many take the bait? (Data from 2012) | Number of phishing emails sent out | 156 million | Make it through the filter | 16 million | Number of emails opened | 8 million | Phishing links clicked within those opened email | 800,000 | Victim of scam | 80,000 |

Source: "Phishing: How Many Take the Bait?" Phishing: How Many Take the Bait?N.p., n.d. Web. 09 Dec. 2015. <http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-en.aspx>.

Appendix C

Appendix C shows significant relationship between customer loyalty and retail breaches. Retail data breaches damages to brand image and the customer loyalty and it ultimately affect to revenue loss. This indicates that it is important to prevent or prepare for data breach incidents.
Source: Gertz, Andrew. "The Art of Data Protection » The Real Cost of a Retail Data
Breach."The Art of Data Protection. N.p., n.d. Web. 09 Dec. 2015.

Works Cited
“APPENDIX B: COBIT 5: PROCESS REFERENCE MODEL”. Governance of Enterprise IT Based on COBIT®5: A Management Guide. IT Governance Publishing, 2013. 144–144.

Banjo, Shelly. "Home Depot Hackers Exposed 53 Million Email Addresses."WSJ. N.p., n.d.
Web. 09 Dec. 2015.
Creswell, Julie, and Nicole Perlroth. "Ex-Employees Say Home Depot Left Data
Vulnerable."The New York Times. The New York Times, 19 Sept. 2014. Web. 09 Dec. 2015.
Elgin, Ben, Michael Riley, and Dune Lawrence. "Home Depot Hacked After Months of Security
Warnings." Bloomberg.com. Bloomberg, n.d. Web. 09 Dec. 2015.
Gertz, Andrew. "The Art of Data Protection » The Real Cost of a Retail Data
Breach."The Art of Data Protection. N.p., n.d. Web. 09 Dec. 2015.
Handler, Charles. "Choosing An Assessment Vendor: What To Look For."Recruiting
Intelligence. 14 Sept. 2006. Web. 15 Dec. 2015.
Kerner, Sean Michael. "Home Depot Breach Expands, Privilege Escalation Flaw to
Blame."Home Depot Breach Expands, Privilege Escalation Flaw to Blame. N.p., n.d.
Web. 09 Dec. 2015.
Murphy, Lincoln. "The Power of the Quarterly Business Review – QBR." Customer Success Software Gainsight. Gainsight, 23 Sept. 2014. Web. 13 Dec. 2015.
Roman, Jeffrey. "Home Depot Breach Cost CUs $60 Million." - BankInfoSecurity. N.p., n.d.
Web. 09 Dec. 2015.
"Phishing: How Many Take the Bait?" Phishing: How Many Take the Bait?N.p., n.d. Web. 09
Dec. 2015. <http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11- en.aspx>. Posey, Brien. "Protect Your Network against Elevation of Privilege Attacks."TechRepublic. 27
May 2002. Web. 10 Dec. 2015. <http://www.techrepublic.com/article/protect-your-network-against-elevation-of-privilege-attacks/>.