In 2014, Home Depot became a victim of the largest theft of credit card information from point-of-sale facilities ever, when a group of cybercriminals stole credit card credentials from their database affecting consumers from the United States and Canada. Home Depot has, as a result, agreed to pay upward of $27 million in compensatory damages to credits unions and banks who incurred a loss. The payment process included a $2 payment for every individual card affected regardless of loss, and a potential 60% reimbursement for proven losses.
Since 2014, the incidence of point-of-sale theft has become even more common, primarily because point-of-sale facilities are inherently less secure than banks or in-house databases, due to the transfer of information from vendor to vendor.
In the wake of the settlement, Home Depot has committed to hiring a new Chief Information Security Officer, and remarked that all credit card information going through the system uses secure encryption to protect consumer data.
Unfortunately, nothing is one-hundred percent secure, and in spite of encryption, malware latent in a company’s information systems can intercept information to-and-from its destinations. While it’s not clear what exactly happened in the case of the Home Depot breach, the process of subverting a large corporation’s network can be as simple as infecting a less-secure third party vendor, using their information to gain access to their share of Home Depot’s network, and planting their malware through a backdoor, as is believed to have been the case.
This situation is a prime example of the vulnerability of interconnectedness; it’s not going to go away, but there’s no cure-all panacea, either. Best practices in security always start locally; if every individual and organization ensured their own security procedures with a 1:1 adherence, there wouldn’t be nearly as many issues; but the most important part of security systems – and the prevalence of holes in those security systems – is human vigilance or, in the case of successful data breaches, lack thereof.