Another day, another data breach. That is, at least, the way it sometimes seems. One of the highest-profile hacking victims in recent memory is Home Depot, which last month disclosed that it had suffered a massive breach of its POS systems, resulting in the exposure of 56 million Home Depot customer payment card numbers between April and September of this year, according to eWeek‘s Wayne Rash. It is believed that the systems were breached by a variant of the same Backoff malware reportedly responsible for last year’s Target breach. The malware was “apparently installed on self-checkout POS terminals,” Rash reported.
The impact of the breach could be severe, for both the retailer and its customers, and should serve as a lesson in the importance of a data-centric security strategy, particularly in the retail industry.
For the cybercriminal organizations that mastermind attacks such as the Home Depot and Target breaches, the retail industry makes an alluring target, for several reasons. The biggest and most obvious draw has to do with the type of data retailers handle. Consumer financial information, such as credit and debit card numbers, can net hackers high sums, since identity thieves are always in the market for that data. In addition, the sprawl and complexity of a multinational retailer’s operations provide numerous opportunities for security gaps and vulnerabilities to present themselves, lying undiscovered until an exploit catches the organization off-guard.
The fact of the matter is that today’s cybercriminals are often extremely sophisticated and well-versed in circumventing common security controls and defenses. In Home Depot’s case, the breach remained undetected until the organization “learned of the breach from law enforcement and banking partners who were able to correlate payment card numbers offered for sale on a Russian cyber-crime site with Home Depot store locations,” as Rash wrote.
That criminal sophistication is the reason why a data-centric security approach is so critical. In most cases, it’s the data that hackers are after, and since infrastructure is often comparatively easily breached, it’s the data itself that must be secured, whether by encryption or tokenization, and whether it’s housed in a public or a private cloud. If the data itself is strongly encrypted, with the encryption keys themselves secured and exclusive to the enterprise that owns them, then even if infrastructure is compromised and data is stolen, the data will be unreadable. It will be of no use to the hackers and will cause no damage to the enterprise or its customers.
Home Depot recognizes this. Among the measures the retailer is taking to prevent future breaches is the completion of a payment information encryption project to protect payment card information at the point of sale and beyond. When it comes to data breaches, prevention is the best vaccine.
How can organizations protect themselves from data breaches? Share your suggestions in the comments.