[xnull2guest]

Because it's not relevant?

I argue it is. There's no way Home Depot could have prevented this. If they took every step suggested by every article and every comment in this 'factual discussion' they would have been owned another way. And it would have received a tirade of similar articles and similar comments about what it should have done to protect its data another way.

Hindsight and backwards engineering security suggestions is easy. But it isn't productive to the overall posture of cyber security. I guess it depends on what scope of the discussion you find interesting. The root or the symptom.

[bdamm]

I completely agree with you. It's quite amusing to see this time and time again; 'security' folks then say "oh, it's Target/Home Depot/Heartland Payment/Apple/Adobe/Yahoo's fault"

There's an easily identifiable pattern here. Security is not economically feasible. Cyber security breaches are like industrial accidents or freak acts of nature, and they should be treated that way. Insurance, OSHA, inspectors, training. This problem is not going to go away.

Specifically for credit cards, banks could do a lot to solve the problem by removing the plaintext identity value that is a credit card number. As an engineering discipline, we can do a great deal to remove the high-value targets from flowing through many hands.

[pbhjpbhj]

>Security is not economically feasible //

Isn't it that others bear the cost of company's security lapses - except for good will - and so they don't really care beyond the legislated need to care? Are these companies making a loss?

It certainly sounds like Home Depot just thought that it wouldn't happen to them and so they could cheap it out - not pay for intrusion detection, not pay to have systems scanned for known vulnerabilities (I'm reading between the lines of the OP article a bit here), not paying for security updates like current anti-virus.

[xnull2guest]

Companies lose huge amounts of money, much of it from PR with customers, when they are hacked. The recent EBay hack for example lost the company huge amounts of money (remember seeing but haven't had luck finding the numbers online).

But you're only thinking about customer retailers.

Many companies need to keep their intellectual property, source code, designs and trade secrets safe from hackers and competitors. Intel is a great example of a company that dominates an industry purely due to IP. Chinese companies (and government) sponsored hackers would love to utilize 12 nm transistor technology to outcompete Intel. I can't help but to wonder what Intel microcode update keys would sell for.

Brazilian PETROBRAS lost billions of dollars when they got hacked by the NSA and as a result lost offshore oil drill location auctions.

There's also 'outsider trading'. Intimate knowledge of what financial decisions companies and states are going to make is big money (http://tinyurl.com/l834xou).

Finally, there's stealing money directly from corporate accounts (Axis Bank). A recent example are the thefts of large numbers of bitcoins from bitcoin trading companies. Often hackers abuse automated clearing house systems to transfer data between accounts and siphon small quantities across large swaths of time/transactions (http://www.bankinfosecurity.com/ach-fraud-payroll-hack-drain...).

Then there's political hacking. The Chinese government stole Israel's Iron Dome defense system specifications. What does that 'cost'? It's hard to calculate. There are countless examples where state actors steal designs from defense contracting companies.

[rbc]

I think that Home Depot could have done more to prevent this. From the NYT article, it sounds like Home Depot managers failed to act on the advice of their own cybersecurity team.

This is no different than when Kenneth Lay failed to act on the warnings from Sherron Watkins about improper accounting practices at Enron prior to its collapse.

[xnull2guest]

They certainly could have done more.

I'm not as confident that doing more would have prevented this. Not at the larger scope.

Perhaps additional investments would have made Home Depot a less attractive target and Walmart would have been attacked instead. Or Sears. Or Best Buy. Or Lowe's. Or Petco. But then we'd be having this exact conversation about those companies.

Let's follow the money.

If Home Depot does not make security investments you lose money. Because they get hacked. The hackers make money.

If Home Depot does make security investments you lose money. Because they are not going to shrink their margins. The customer is going to take the cost of business in this case. Hackers are going to target someone else (maybe), were the customer will again lose money. The hackers make money.

Hacking costs you money. It either costs you as a business expense or as an upfront investment in infrastructure/technology.

Yes Home Depot cost you money. But it costs you money the same way that banks cost you money when they get robbed. Is it the banks fault? The arguments in this thread say "Yes. Because the bank left the vault open."

I'd agree, except I don't see a way for any bank to close any of its vaults. The current state of cybersecurity is that bad.

[rbc]

I think that home depot knew, or should have known the value of protecting their customers data. They should have also had some idea or their exposure to the threats that are out there.

I think it's pretty basic. Any IT system has a collection of zero-day vulnerabilities. If the company is smart, they will track what these vulnerabilities are and mitigate the vulnerabilities that can be fixed. The vulnerabilities that don't get resolved will eventually meet up with a zero-day exploit. Then there will be a loss.

It would appear that Home Depot didn't mitigate their vulnerabilities, and now they will have to pay.

[xnull2guest]

Zero days are by definition vulnerabilities that aren't disclosed and do not have fixes.

[rbc]

Therein lies the problem. Waiting for exploits to be developed, before releasing fixes is reactive. More proactive code auditing could reduce the number of zero-day vulnerabilities.

[xnull2guest]

I'm confused about what you're trying to say.