Thales Blog

A Message From Your Local Home Depot

November 11, 2014

Tina Stewart Tina Stewart | VP, Global Market Strategy More About This Author >

Breached Retailer LogosDear Valued Customer,

The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.

In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.

Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.     Sincerely,  The Home Depot

This is the email from Home Depot notifying customers that along with compromising 56 million credit cards, attackers also stole 53 million email addresses. When you are one of 56 or 53 million, I can’t imagine being called a “valued customer” or being told that your information “may have been taken during the payment card breach” provides great comfort.

<ClickToTweet>: "You've Been Breached!" (again) - An email from Home Depot ... @SocialITIS

Better yet - according to Home Depot’s FAQ“Even if you do not receive an email notification from us, it’s safe to assume your email address could have been stolen.”

Last week, Home Depot lit a fire in its already burning flame when it announced that hackers used a third-party vendor’s username and password to enter the perimeter of Home Depot’s network. Then, the hackers obtained access to personally identifiable information. This follows an announcement in September that 56 million credit-card accounts were compromised.

After two months of investigation into the hack, these new findings show Home Depot fell victim to similar tactics at Target last year. If Target is the cake, Supervalu, Kmart, Michaels, P.F. Chang’s and others might just be the data breach icing.

Home Depot’s hack was not exactly a shock but the magnitude of the breach certainly left many wondering what’s left and if protecting data is even possible. In reality, with hundreds to thousands of computers attacked during what can be a 6 month period it is difficult to figure out what exactly happens during an attack.

In many breaches, it is next to impossible to determine all of the information that was stolen. Companies are required to report data loss when there is evidence of disclosure. Which is why the many customers that received that letter did not gain much insight.

As a result of this series of breaches, Home Depot announced that it will be rolling out EMV Chip-and-Pin technology, to add extra layers of payment card protection to customers. While this is a great step in the right direction, Home Depot can’t erase what’s happened and is going to find it difficult to fix its reputation.

It’s time for organizations to take action. Existing security stances and attitudes must adjust to a changed world – one where perimeters are permeable to hackers. Data centric security – security controls that directly control and track who, what, when, from where, and how sensitive data is accessed are the only effective tools for this.  The attitude that end point, firewall and network defenses ‘come first’ needs to change.

The key to security comes down to people, process and technology. The first step is to apply a “least privilege” approach to data access – limiting the ability to see data with encryption, tokenization/data masking, access controls and strong authentication to only those who need it to perform their work. System administrators, executives and even ordinary employees whose work does not require access, must be excluded to reduce risks. The next step is then to closely monitor the behavior and actions of those accounts allowed access – looking for changes in behavior that indicate that a hacker may have compromised the account’s credentials, or that the user has turned into a malicious insider.

Retailers out there, let’s stop this pattern, protect customers and take a data first approach.