Consumers with a Home Depot credit account should log in to their account, change their password, and check the “Account Activity” section for any suspicious transactions. They should also verify that their account communication preferences (email address, cell phone number for SMS, etc.) are on file and accurate. Home Depot and other online retailers should augment their alerting service by adding an option to notify users every time a transaction is made on their account. This would help consumers learn about fraudulent charges quicker, while also saving retailers the hassle of remediating additional fraudulent charges.- Dan Waddell, CISSP, CAP, PMP, Director of Government Affairs, (ISC)²
Once again, another major retailer is faced with a Point-of-Sale (PoS) breach. With the potential to be a larger scale breach than Target, Home Depot is left scrambling to find out what happened long after the data is gone and actively being sold. This breach presents another instance of the retailer being last to know about a security breach within its own system. Perhaps the most troubling factor is that card issuing banks and the U.S. Secret Service are more likely to identify breaches within retailers’ walls. The lack of detective security, allowing the breach to go unfettered for months, is equally concerning for a retailer of this size and magnitude. After the massive Target breach last year, retailers have had time to absorb lessons learned from that incident and take action, yet little progress has been made. Perhaps there is not enough incentive for customers to change their purchasing habits as a result of these breaches. While Target experienced short-term losses associated with its breach, sales are moving back to normal. After all, the liability to a customer is $0, right? The issuing banks cannot stand for these large-scale catastrophes anymore as their costs from battling fraud, reissuing cards, and the administrative overhead becomes a burden they pass on to customers or try to claim legally from the retailer. While Home Depot will likely be affected by this incident, the consumers will pay in one form or another. - Philip Casesa, CSSLP, Director of IT/Service Operations, (ISC)²
Not to speculate, but I cannot help but think that we will see quite a number of these breaches as we approach the October 2015 deadline for Chip and PIN. Chip and PIN may help deter fraudsters looking for the next big haul, but this issue is becoming a daily news headline, with the black market becoming saturated with stolen credit card data. Meanwhile, corporations are struggling to play catch-up in regards to customer data protection. Customers should stay vigilant in monitoring their credit accounts and transactions. - Charles Gaughf, CISSP, SSCP, Information Security Manager, (ISC)²