As of Tuesday, September 2, 2014, Home Depot was the latest merchant to announce a potential security breach.
Any more, this means intruders have stolen credit card numbers from its POS (point of sale) systems. The details have yet to be revealed.
If there is any silver lining for Home Depot, it’s the likelihood that another large merchant will probably soon announce its own breach. But one thing that’s going to be interesting with Home Depot is how they handle the breach, and whether their CEO, CIO, and CISO/CSO (if they have a CISO/CSO) manage to keep their jobs. Recall that Target’s CEO and CIO lost their jobs over the late 2013 Target breach.
Merchants are in trouble. Aging technologies, some related to the continued use of magnetic stripe credit cards, are making it easier for intruders to steal credit card numbers from merchant POS systems. Chip-and-PIN cards are coming (they’ve been in Europe for years), but they will not make breaches like this a thing of the past; rather, organized criminal organizations, which have made a lot of money from recent break-ins, are developing more advanced technologies like the memory scraping malware that was allegedly used in the Target breach. You can be sure that there will be further improvements on the part of criminal organizations and their advanced malware.
A promising development is the practice of encrypting card numbers in the hardware of the card reader, instead of in the POS system software. But even this is not wholly secure: companies that manufacture this hardware will themselves be attacked, in the hopes that intruders will be able to steal the secrets of this encryption and exploit it. In case this sounds like science fiction, remember the RSA breach that was very similar.
The cat-and-mouse game continues.
Peter H. Gregory 