LESSONS LEARNED Home Depot Security Breach

Home Depot is an American In September 2014, Home Depot, the US home improvement retailer, retailer of home improvement confirmed it experienced a breach in security that affected as many as 56 million credit and debit cards in Canada and the US. Criminals used and construction products and unique, custom-built malware to steal account numbers from Home Depot’s services. It operates many point-of-sale systems. The do-it-yourself retailer has 180 stores in Canada big-box format stores across and more than 2,200 in the US. the United States, all ten Despite ongoing efforts to improve internet security systems, hackers provinces of Canada, as well continue to find holes in various industries, causing mayhem to both as Mexico. corporations and consumers that trust their information will be protected. Inadequate company safeguards and the mishandling of consumer data can come at a high price, not only in the form of lawsuits but also consumer mistrust, resulting in devalued company stocks. The security breach could cost Home Depot $3 Billioni. LESSONS LEARNED Home Depot Security Breach

Related Incidents – Celebrity Breach Hacking & Target According to Home Depot’s Press further breach of its systems in US Home Depot’s story is not an isolated Release dated September 18, 2014, stores and will roll out enhanced incident. Recently, Jennifer Lawrence the investigation revealed: encryption to its Canadian stores by and other celebrities, whose private early 2015. pictures were leaked online, may have • “Criminals used unique, had their Apple’s iCloud passwords According to Home Depot, terminals custom-built malware to evade stolen by hacking software.iii identified with the malware were detection. The malware had not Inappropriate pictures of Jennifer taken out of service and the malware been seen previously in other Lawrence and many other celebrities has been eliminated from company’s attacks, according to Home were posted on anonymous message systems. Depot’s security partners. board 4Chan and other internet Canadian credit and debit cards have sites, infuriating the stars and their • The cyber-attack is estimated chip technology that should protect management. to have put payment card customers, it said. Home Depot said it US discount retailer Target suffered information at risk for has rolled out enhanced encryption of stagnant sales and its profits were approximately 56 million payment data to all its U.S. stores and hard-hit by its security breach during unique payment cards. plans to have the same safeguards in the holiday season of 2013. place in Canada by next year. • The malware is believed to have been present between Home Depot repeated its assurance April and September 2014. ii“ that there is no evidence the Industry Impact cybercriminals gained access to Data theft has become a disturbing Home Depot’s statement also customers’ PINs. indicated it had completed a security trend, expanding worldwide at an upgrade that should prevent any alarming rate. Unlike traditional theft crimes, data information theft is difficult to detect and even more difficult for companies to overcome. On top of the financial losses of lawsuits, payouts, and litigation costs, individuals within the company could also face jail time if their actions are deemed fraudulent, negligent or wholly indifferent to the potential harm of the consumer.

Many of these types of losses could possibly be avoided if a verifiable management system standard such as ISO/IEC 27001, for Information Security, is in place. Such a management system would have helped prevent violations involving electronic commerce, online transactions, and publicly available information. LESSONS LEARNED Home Depot Security Breach

ISO/IEC 27001 takes a risk-based, holistic approach to security and has an overarching top-down governance process supported by 114 built-in controls that address people, processes, and technology to ensure that information security is an integral part of information systems through the entire lifecycle of a transaction and across the enterprise. This also includes the requirements for information systems, which provide services over public networks. Certain controls in ISO/ IEC 27001 address public networks BSI Solutions and transactions, specifically A.14.1.2 Home Depot hastened to assure BSI provides certification to Securing application services on public investors that it is on track to meet standards, developed to protect networks, to protect information “from its target sales in the third quarter. In your organization. As an Information fraudulent activity, contract dispute its September 18, 2014 news release, Security Management System, and unauthorized disclosure and Home Depot estimated its sales will ISO/IEC 27001 is designed to help modification” and A.14.1.3 Protecting grow by 4.8 percent and raised its you select adequate and well- application services transactions to estimate of third quarter profit per balanced security controls which “prevent incomplete transmission, share to $4.54, from $4.52. will protect information assets misrouting, unauthorized message and give confidence to interested alteration, unauthorized disclosure, Home Depot’s profit estimates take parties, including your customers. unauthorized message duplication into account the costs of investigating Certification to ISO/IEC 27001 or replay.” the data breach, providing credit is an essential safeguard for monitoring services to its customers any organization. In addition to as well as legal and professional certification services, BSI offers a Home Depot Responds services. It has pledged that no range of training courses that are customer will be on the hook for any The size of the hack makes it more designed to provide the tools you fraudulent charges. likely Home Depot will face steep and your staff need to learn and costs. Bill Guard, a personal finance But it has not factored in any losses understand ISO/IEC 27001, as well security service, estimated the related to the breach, including as oversee audit programs for your potential fraud to cost as high as $3 liabilities on consumer credit and management system. BSI works billion for the company.iv debit cards and from any civil with this standard, and many more, litigation. to protect your organization and its Already, it faces a class-action suit most valued assets, including the on behalf of Canadian customers, “Those costs may have a material relationship between you and your launched by Saskatchewan lawyer adverse effect on the Home Depot’s customers, from potential threats. Tony Merchant. He estimates up financial results in the fourth quarter to four million Canadians may be or future periods,” according to its affected by the breach.v news release. LESSONS LEARNED Web: www.bsiamerica.com Email: [email protected] Fax: 1703 4379001 Tel: 18008624977 USA Herndon, VA 20170 12950 Worldgate Drive,Suite800 BSI GroupAmericaInc. To findoutmore, visitwww.bsiamerica.com capability levelsofthecloudservice. set ofcriteriathatmeasuresthe CSA CloudControlMatrix,aspecified system standardtogetherwiththe ISO/IEC 27001:2013management leverages therequirementsof The technology-neutralcertification and governmentsaroundtheworld. by customers,providers,industries, providers andconsumers,isused requirements andmaturitylevelsof recognize thevaryingassurance accessible registrydesignedto The CSASTAR Programisapublicly cloud providertrustandassurance. comprehensive setofofferingsfor Star Certificationprovidea For CloudSecurity,BSIandCSA Cloud Security HomeDepotSecurityBreach Web: Email: [email protected] Fax: 1416 6209911 Tel: 18008626752 Canada L4V 1E3 Mississauga, Ontario 6205B AirportRoad,Suite414 BSI GroupCanadaInc. www.bsigroup.ca/fr www.bsigroup.ca About BSI v https://www.merchantlaw.com/classactions/homedepot.php iv http://blog.billguard.com/2014/09/home-depot-data-breach-estimated-impact/ iii http://www.people.com/article/jennifer-lawrence-FBI-investigating-phone-hack ii https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf i into simplicity. and continualimprovement.From starttofinish,BSIhelpsturncomplexity proposition fromthedecisiontoimprovesystemsthrough toregistration and embedexcellenceacrossthebusiness.BSIpresentsaone-stop value to provideanintegratedapproachmeettheneedsof organization that combinesitallinacomprehensiveserviceofferingand allowsus management systemtoolset,BSIdeliversabusinessimprovement solution One Company,Solution.Bypackagingassessment,training, anda http://www.cbc.ca/news/business/home-depot-credit-card-security-breach-could-cost-3b-1.2768043

Copyright ©2014The BritishStandardsInstitution.AllRights Reserved.

BSI/USA/401/MS/1014/E