Oct 162014
 

It took home improvement retailing giant Home Depot about a week before it finally confirmed it had suffered a data breach. Home Depot first reported the possibility of a breach on 2 September 2014, but did not actually confirm the hacking until 8 September. During that time, the company made somewhat vague statements that it was still carrying out an investigation to determine whether or not its systems had actually been compromised.

Based on the company’s recent press release confirming the breach (see “The Home Depot Provides Update on Breach Investigation“), it appears that Home Depot’s internal IT security team was unaware that its payment data systems had been compromised. Instead, it looks as if the company only caught on to the breach, and then launched its investigation, once it had received reports from banking partners and law enforcement officials notifying the company of suspicious activity with payment cards used at the retailer’s various stores. (This is a trend we are seeing more often, and it is disturbing because it signals that the malware used to infect store POS systems is very difficult to detect.) The company believes the breach took place initially sometime in April 2014. No information regarding the size of the breach was included in the press release.

Home Depot has received negative publicity since the possibility that its payment systems had been breached went public. It remains to be seen just how customers will respond and the impact that will be felt on company operations; however, memories of Target’s disastrous results after revealing a breach last holiday season must be worrying Home Depot executives. Already, the New York Times has reported that some customers have filed lawsuits against the retailer (see “Home Depot Data Breach Could Be the Largest Yet“).

The point of this Advisor is not to hammer Home Depot. Let’s face it: data breaches have become a regular occurrence. And we’ve seen a number of companies’ POS systems compromised over the past year. Besides Home Depot and Target, you can add to that list Goodwill, United Parcel Service, P.F. Chang’s, Sally Beauty, Michael’s, and Neiman Marcus. The points I want to consider here are steps that an organization might take when dealing with a data breach.

The best approach, of course, is to ensure that your systems are never compromised in the first place. But in today’s world, there are no 100% secure systems. Moreover, as I reported back in February, the hackers and their malware and the techniques they use have become increasingly sophisticated (see “Hackers and Malware Are Getting Smarter”).

The obvious first step an organization must take having experienced a breach is to secure any compromised systems as quickly as possible. Not to belittle this process, but this is probably the most straightforward part of an incident response. Where companies seem to really run into the trouble is in how they respond publicly to their customers once they have uncovered an incident.

The best thing a company can do is to prepare an incidence response plan before it actually suffers a breach. Having a plan already in place means the response team will not be starting from scratch in the event the company is victimized by such an incident. Consequently, the team will be much less likely to make mistakes during the most crucial part of the response: the early stages.

A prepared plan also offers the company a much better chance of getting out ahead of the incident, making it much less likely to appear to customers that it is stumbling when it comes to taking steps to mitigate the breach and head off any possible repercussions. In this regard, I think that Home Depot may have somewhat botched its efforts by dragging out for almost a week its announcement that the company had in fact been hacked. Then again, due to the nature of the infection, it’s quite possible that the company simply could not make a definite determination any earlier. Regardless, leaving customers in suspense as to whether or not their payment card information has been stolen is setting yourself up for PR problems. We saw this as well in the various articles and news reports in which security experts and analysts speculated as to whether the Home Depot breach would eventually turn out bigger than the one Target suffered.

Of course, it is impossible to devise a plan in advance that will cover every eventuality that could arise from a possible breach or hacking incident; however, it is possible to create a plan defining the immediate steps the company is to take upon uncovering an incident.

It is especially important that the company appear up front with customers when notifying them of a breach. A customer’s first worry upon hearing about a breach is probably “Am I at risk?” This gives rise to the question, “Should I keep doing business with this company?” Vague statements pertaining to the size of the breach, or regarding the extent to which information has been compromised, can give customers the impression that the company does not know what it is doing.

The bottom line is that when responding to a data breach, all customer communications should be straightforward and to the point. In short, customers want to hear that the company is on top of things and that specific actions have been taken to protect them from fraud and identity theft. Consequently, when developing an incident response plan, any action items should be formulated based on the customer’s perspective.

Finally, I’d like to get your opinion about what steps you think should be taken when revealing a data breach. As always, your comments will be held in strict confidence. You can email me at chall@cutter.com or call +1 510 848 7417 with your comments.

avatar

Curt Hall

Curt Hall is a Senior Consultant with Cutter Consortium's Data Insight & Social BI and Business & Enterprise Architecture practices. His expertise includes BI, data warehousing, data mining, and other analytical technologies and products.

Discussion

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)