I Feel Nothing: The Home Depot Hack And Data Breach Fatigue

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.ideastream.org/news/npr/345539074

How many megahacks have we consumers faced in recent memory?

Well, there was that Target one that affected something like 110 million of
us. Earlier this year, Open SSL, the protocol that protects much of the
Internet, was hit by the Heartbleed bug and exposed most of us. Then there
was news that hackers got 1 billion email and other sign-in credentials
this summer.

This weekend, the Internet imploded when some ne'er-do-wells stole and
shared nude images of female celebrities. Hackers broke into the world's
biggest bank, JPMorgan Chase. And not even Home Depot may be safe. Holes in
the hardware giant's data security may have exposed more American credit
card numbers than Target did.

You've certainly read the what-to-do-in-the-event-of-a-hack stories here,
and elsewhere. How many times have we recommended looking at your credit
card bills for any weird purchases, or had security experts remind us to
change our passwords, or use two-factor authentication, or not trust the
cloud with our most private images?

There are systemic issues that need to be fixed; namely why we're still
using decades-old magnetic stripes on our credit cards when the rest of the
world uses the more secure chip-and-PIN system. (While retailers like
Target have tried to move to new systems, banks and Visa and MasterCard
have been slow to switch consumers to more modern payment systems.)

And I am not saying that these crimes are small — they are costing our
retailers and banks millions, if not billions of dollars to recover from
these data hacks time and time again. Forbes wrote about the potential
damage to Home Depot:

"If the breach did occur and is larger than Target's the debacle could cost
Home Depot dearly. Last month Target said its breach cost $148 million and
the mess eventually led to the ouster of CEO Gregg Steinhafel. Target
shares are down more than 4% year-to-date."

But because banks are responsible for making us whole if our credit cards
are misused, and we are simply issued new cards (an annoying hassle, but
not life-altering), I join you in reacting to news of these hacks with a
shrug.

"We are in the trough of disillusionment," says Gartner security analyst
Avivah Litan. "Over 1,000 retailers have been hit; it's not limited to Home
Depot. There are 999 others that no one's talking about."

Litan says we have become numb to this news because consumers always get
paid back. And the criminals are stealing a lot more data than they can
use. "So most people haven't had a lot of damage from this," Litan says.
"Banks are so quick to reissue new cards, no one cares anymore."

But the damage does fall disproportionately on retailers. They spend a lot
of money on security to prevent breaches of their payment systems and keep
their names out of hacking-related news. But really, retailers must rely on
the payment systems standardized by card issuers and the banks.

So when we ask why payment systems are insecure, it's bigger — much bigger
— than a lack of security at Home Depot, or Target, or name-that-brand.
It's really about an entire system that needs to play catch-up. Because we
shop across many stores, and not just one, banks and card companies have to
take the lead. So far, they've pledged to move to chip-and-PIN cards
starting next year, but Litan says that could take seven to 10 years.

Cue the next hacking hype cycle.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!