Please don't bring social justice theory into a factual discussion of a company's missteps and negligence that resulted in a serious breach of its systems.
I'm not sure I fully agree with the earlier poster, but it's an interesting and useful perspective and I can't see a clear reason for it to be downvoted. Certainly not just because it "bring[s] social justice theory into a factual discussion", yeesh.
I certainly do not intend to dismiss security faults (I'm a security researcher by trade). I do, however, want to point out that such lists are invariably not exhaustive and the analysis is woefully incomplete.
Ask any security professional and they will tell you that security is a trade-off. No computer or network is 100% secure. The objective is to match the amount of security to the amount of potential loss. The estimates here are incredibly difficult to make. No person or company or philosophy has solved this problem yet.
One can claim that Home Depot made the wrong security trade-offs. But I don't see any analysis being done in these threads or articles. I see people criticizing faults and suggesting areas that they may have invested in. Ways to increase security. But I don't see any calculations on the actuarial side or figures for how much it would cost Home Depot to make those investments. I don't think a Hacker News thread is capable of making that sort of assessment, myself included.
What I can say (and did say) is that Home Depot is a victim of a theft. You are too, if your data was in the cache. Couldn't someone criticize you for keeping your data with Home Depot? That's not secure. Not just from hackers, but also from being sold to creditors and financial listing agencies. You'd be right to call me out for criticizing you for something you really can't help.
Home Depot can't help but to be on a woefully broken cyber-infrastructure. It has to in order to participate in the modern economy. It's only option is to be more secure than other large retailers with the hope it will be a less attractive target ("I don't have to outrun the bear, I have to outrun you.") If someone wants in, they will get in.
They were forced to take a raw deal, and they were owned. It's going to keep happening. And making post-hoc suggestions about minor configurations isn't going to help.
I argue it is. There's no way Home Depot could have prevented this. If they took every step suggested by every article and every comment in this 'factual discussion' they would have been owned another way. And it would have received a tirade of similar articles and similar comments about what it should have done to protect its data another way.
Hindsight and backwards engineering security suggestions is easy. But it isn't productive to the overall posture of cyber security. I guess it depends on what scope of the discussion you find interesting. The root or the symptom.
I completely agree with you. It's quite amusing to see this time and time again; 'security' folks then say "oh, it's Target/Home Depot/Heartland Payment/Apple/Adobe/Yahoo's fault"
There's an easily identifiable pattern here. Security is not economically feasible. Cyber security breaches are like industrial accidents or freak acts of nature, and they should be treated that way. Insurance, OSHA, inspectors, training. This problem is not going to go away.
Specifically for credit cards, banks could do a lot to solve the problem by removing the plaintext identity value that is a credit card number. As an engineering discipline, we can do a great deal to remove the high-value targets from flowing through many hands.
Isn't it that others bear the cost of company's security lapses - except for good will - and so they don't really care beyond the legislated need to care? Are these companies making a loss?
It certainly sounds like Home Depot just thought that it wouldn't happen to them and so they could cheap it out - not pay for intrusion detection, not pay to have systems scanned for known vulnerabilities (I'm reading between the lines of the OP article a bit here), not paying for security updates like current anti-virus.
Companies lose huge amounts of money, much of it from PR with customers, when they are hacked. The recent EBay hack for example lost the company huge amounts of money (remember seeing but haven't had luck finding the numbers online).
But you're only thinking about customer retailers.
Many companies need to keep their intellectual property, source code, designs and trade secrets safe from hackers and competitors. Intel is a great example of a company that dominates an industry purely due to IP. Chinese companies (and government) sponsored hackers would love to utilize 12 nm transistor technology to outcompete Intel. I can't help but to wonder what Intel microcode update keys would sell for.
Brazilian PETROBRAS lost billions of dollars when they got hacked by the NSA and as a result lost offshore oil drill location auctions.
There's also 'outsider trading'. Intimate knowledge of what financial decisions companies and states are going to make is big money (http://tinyurl.com/l834xou).
Finally, there's stealing money directly from corporate accounts (Axis Bank). A recent example are the thefts of large numbers of bitcoins from bitcoin trading companies. Often hackers abuse automated clearing house systems to transfer data between accounts and siphon small quantities across large swaths of time/transactions (http://www.bankinfosecurity.com/ach-fraud-payroll-hack-drain...).
Then there's political hacking. The Chinese government stole Israel's Iron Dome defense system specifications. What does that 'cost'? It's hard to calculate. There are countless examples where state actors steal designs from defense contracting companies.
I think that Home Depot could have done more to prevent this. From the NYT article, it sounds like Home Depot managers failed to act on the advice of their own cybersecurity team.
This is no different than when Kenneth Lay failed to act on the warnings from Sherron Watkins about improper accounting practices at Enron prior to its collapse.
I'm not as confident that doing more would have prevented this. Not at the larger scope.
Perhaps additional investments would have made Home Depot a less attractive target and Walmart would have been attacked instead. Or Sears. Or Best Buy. Or Lowe's. Or Petco. But then we'd be having this exact conversation about those companies.
Let's follow the money.
If Home Depot does not make security investments you lose money. Because they get hacked. The hackers make money.
If Home Depot does make security investments you lose money. Because they are not going to shrink their margins. The customer is going to take the cost of business in this case. Hackers are going to target someone else (maybe), were the customer will again lose money. The hackers make money.
Hacking costs you money. It either costs you as a business expense or as an upfront investment in infrastructure/technology.
Yes Home Depot cost you money. But it costs you money the same way that banks cost you money when they get robbed. Is it the banks fault? The arguments in this thread say "Yes. Because the bank left the vault open."
I'd agree, except I don't see a way for any bank to close any of its vaults. The current state of cybersecurity is that bad.
I think that home depot knew, or should have known the value of protecting their customers data. They should have also had some idea or their exposure to the threats that are out there.
I think it's pretty basic. Any IT system has a collection of zero-day vulnerabilities. If the company is smart, they will track what these vulnerabilities are and mitigate the vulnerabilities that can be fixed. The vulnerabilities that don't get resolved will eventually meet up with a zero-day exploit. Then there will be a loss.
It would appear that Home Depot didn't mitigate their vulnerabilities, and now they will have to pay.
Therein lies the problem. Waiting for exploits to be developed, before releasing fixes is reactive. More proactive code auditing could reduce the number of zero-day vulnerabilities.