Home Depot has agreed to pay as much as $19.5 million to compensate consumers for the data breach it suffered in 2014 that affected more than 50 million cardholders. That figure includes $13 million to reimburse customers for losses and $6.5 million for a year and a half of identity protection services. They have also paid out or plan to pay $161 million in total for costs related to the breach.
As part of the settlement, the company agreed to improve data security and hire a chief information security officer (CISO). That’s good. As is common in these cases, the company did not have to admit it did anything wrong. Not good. I understand this is common in these settlements, but I find it unfortunate, since the customers are affected by the negligence of the company. To me this is like saying that if I left my front door open and somebody came in and robbed me, it isn’t my fault. Companies must take data security seriously, but many of them do not even do the basics of locking the front door.
The standard approach to help those affected in these breaches is to offer identity protection services to the victims for a period of time. That sounds great, but what happens after that? Cyber criminals are smart enough to know they can hold on to personally identifiable information (PII) for just a little longer and then use it. Of course I can change my credit card number, but I’m not going to change my name and address.
A very common cyber attack today is phishing, which tricks someone into clicking an email link or going to a fictitious website. The goal is to steal information the criminal can use to get money, defraud someone or get something else of value. Having identity protection services may help monitor your credit cards or bank accounts, but does little if someone tries to pose as you to get healthcare, uses your name to defraud a relative or makes small purchases that fly under the radar.
If you handle regulated or any sensitive data, you need to encrypt it and control its access. That doesn’t mean only control access while sitting on a file server or in a database. These breaches prove that hackers can get past those security layers. You need to provide strong encryption on the data itself that requires multiple authentication factors before allowing someone to access it.
I think these large settlements may finally be a wakeup call for organizations that handle PCI regulated data and any PII or PHI. Hopefully Home Depot and other organizations will heed the advice from security experts and the FTC and improve their data security practices to prevent data breaches in the future. Nothing spurs action like a hit to the bottom line.
Photo credit Mike Mozart