Menu
Hackers owned Home Depot's networks for five months
If the growing list of companies reporting massive data
breaches makes you start to think the Internet criminals are winning, you're
right. Exhibit A is the disclosure by Home Depot in a November
6, 2014, press release that crooks extracted customer information from the
company's network on a daily basis for five months before they were detected in
September.
The breach that gave hackers unfettered access to Home Depot's networks -- including the point-of-sale terminals that collected customer credit-card information -- started through the company's network for third-party vendors. Once they gained access to that system, the hackers made the jump to Home Depot's internal networks, where they ran wild. In addition to the financial information they stole, the bad guys collected 53 million email addresses.
As Forbes' Paula Rosenblum explains in a November 6, 2014, article, the network was infiltrated despite Home Depot complying with the Payment Card Industry Data Security Standard (PCI-DSS). Target likewise was in compliance with PCI-DSS guidelines when its network was hacked in 2013. In both cases, the thieves gained access via the companies' vendor networks.
This is far from the end of such attacks on retailers' data networks. Companies have to assume their networks have been breached and will be breached again. Their focus must be on limiting the damage when breaches occur, primarily by encrypting data, continually monitoring for abnormal activity on their networks, and implementing more stringent access controls on their most sensitive data.
What can you do to protect yourself as the holiday shopping season approaches? Rosenbaum lists several precautions consumers can take:
1) Don't use debit cards -- credit cards offer better protections against loss due to theft of your account information.
2) Use PayPal, Apple Pay, or a similar service that doesn't expose your credit-card number to retailers. Use cash rather than credit when making purchases in stores.
3) Shop online rather than at brick-and-mortar stores. In the U.S., online breaches are less prevalent than in-store breaches.
4) Use a shopping-only email address that won't jeopardize your contacts should it get stolen and the account subsequently hacked.
The breach that gave hackers unfettered access to Home Depot's networks -- including the point-of-sale terminals that collected customer credit-card information -- started through the company's network for third-party vendors. Once they gained access to that system, the hackers made the jump to Home Depot's internal networks, where they ran wild. In addition to the financial information they stole, the bad guys collected 53 million email addresses.
As Forbes' Paula Rosenblum explains in a November 6, 2014, article, the network was infiltrated despite Home Depot complying with the Payment Card Industry Data Security Standard (PCI-DSS). Target likewise was in compliance with PCI-DSS guidelines when its network was hacked in 2013. In both cases, the thieves gained access via the companies' vendor networks.
This is far from the end of such attacks on retailers' data networks. Companies have to assume their networks have been breached and will be breached again. Their focus must be on limiting the damage when breaches occur, primarily by encrypting data, continually monitoring for abnormal activity on their networks, and implementing more stringent access controls on their most sensitive data.
What can you do to protect yourself as the holiday shopping season approaches? Rosenbaum lists several precautions consumers can take:
1) Don't use debit cards -- credit cards offer better protections against loss due to theft of your account information.
2) Use PayPal, Apple Pay, or a similar service that doesn't expose your credit-card number to retailers. Use cash rather than credit when making purchases in stores.
3) Shop online rather than at brick-and-mortar stores. In the U.S., online breaches are less prevalent than in-store breaches.
4) Use a shopping-only email address that won't jeopardize your contacts should it get stolen and the account subsequently hacked.