Home Depot security breach: Any lessons to be learned?

Home Depot Inc. recently suffered a security breach under which 56 million credit cards may have been compromised in a five-month attack on its payment terminals. Yesterday, an article was discussing the fact that the risks of hacking were clear to computer experts inside Home Depot, that Home Depot relied on outdated software to protect its network and that some members of its security team left as managers dismissed their concerns.

Under s. 4.7 Schedule 1 of the Canadian federal statute PIPEDA, businesses managing personal information have to protect the information using  “security safeguards appropriate to the sensitivity of the information.” A similar provision can be found under substantially similar private sector provincial laws from Alberta (s. 34), British Columbia (s. 34) and Quebec (s. 10).

The “appropriateness” of a security safeguard is something that evolves over time and sometimes, it does so quickly. For instance, following the TJX security breach in January 2007 involving a network computer intrusion affecting the personal information of an estimated 45 million payment cards in Canada, the United States, Puerto Rico, the United Kingdom and Ireland, the Office of the Privacy Commissionner of Canada and the Office of the Information and Privacy Commissioner of Alberta undertook an investigation of the breach and issued their joint Report of Findings in September 2007.

This report states that at the time of the breach, TJX had in place various technical measures in its North American stores to protect personal information, including the Wired Equivalent Privacy (WEP) encryption protocol, although this protocol was outdated, the Wi-Fi Protected Access (WPA) being an adequate encryption protocol:

80. TJX had an encryption protocol in place (WEP) that was in the process of being converted to WPA at the time of the breach. We are of the view that WEP does not provide adequate protection as it can be defeated relatively easily. It appears that the intruder may have accessed the RTS servers and client data due to a weak or inadequate encryption standard. WEP cannot be relied on as a secure system since the encryption is easily bypassed, and it is not adequate for protecting a network. We understand that TJX was in the process of changing to a higher encryption standard, and we acknowledge that a conversion of this nature requires lead time for budget, planning and implementation.

81. However, since 2003, experts have questioned the use of WEP as a secure protocol. The Institute of Electrical and Electronic Engineers (IEEE) is the organization that originally developed the WEP standard. In June of 2003, the IEEE itself recommended that the wireless encryption standard move from WEP to WPA.

Interestingly, some security law experts have expressed the view that by the time this report was issued in September 2007, this WPA protocol was already outdated.

Lesson number 1:  An organization managing sensitive information such as customers’ financial information has to make sure that it has relevant advice from IT and security experts which are knowledgeable and up to date on all recent standards.

Lesson number 2: It has been recently reported in the WSJ that Home Depot estimates that the investigation, credit monitoring service, call center staffing and other breach response and breach management steps will cost approximately $62 million. Security breaches are expensive. On top of the amount spent to manage the breach, an organization has to take into account reputational risk (the shares of Home Depot ended 0.86 percent lower at $90.82 on the New York Stock Exchange upon the announcement of the breach – S&P 500 was down that day only 0.28% vs. 0.86% decrease of Home Depot share price, wiping out approximately $1 billion of its total market value in one single day) as well as the risks of class action lawsuits (the Home Deport breach prompted class action).

This content has been updated on September 22, 2014 at 12 h 33 min.