Home Depot customers were shocked Monday to find out that the country's largest home improvement retailer had been the target of a cyberattack that helped criminals recover millions of customers’ debit and credit card data. Security experts, on the other hand, weren't surprised.
Just a few months after a similar large-scale security breach at Target (NYSE:TGT) and dozens of smaller retailers, this type of attack should have been anticipated and companies should accept the fact that they’re likely under constant threat and increase their precautions dramatically with stricter security measures and even hackers of their own, say several prominent security advisors.
“I can’t think of any louder wake-up call to anyone in the industry,” Dwight Hill, partner at retail advisory firm McMillan Doolittle in Chicago, told International Business Times. “I think what they didn’t realize before but may be forced to realize now is that this is the new normal,” he said. “They’re being targeted.”
Using the deep Web as a marketplace, hackers from around the world have been developing software designed specifically to break into retailers’ point-of-sale (POS) systems to recover customer data, which is then sold on the black market to buyers who use the information to make purchases and access cash. It’s not a new phenomenon, but experts say it’s becoming more common.
“The big merchants make the headlines because of the size and scope of the attack, but for every big merchant we see in the headlines, there are hundreds of smaller merchants who have also been successfully targeted by similar rings,” said Julie Conroy, a research director at Aite Group, a security advisory firm.
She is no longer surprised to hear about incidents like Target or Home Depot (NYSE:HD), noting that retailers should take a similar approach.
“The pace and sophistication of breaches is ramping up so rapidly, that merchants have to build their security strategies with the assumption that their perimeter will be breached,” she said, adding that many types of software targeted at retailers’ sales systems are “readily available for just a couple of thousand dollars in underground forums.”
Conroy explained that one defense is to use methods such as encryption and tokenization to “devalue” their data, making it impossible to read even if criminals get their hands on it.
Todd Morris, CEO of security and surveillance firm BrickHouse Security, noted that many computer systems used by retailers are outdated, since it takes a great deal of time and money to make updates.
“A lot of the POS systems are using older versions of Windows, some of which are not well-supported and have known holes,” he said, adding that the system’s wide usage also makes it a bigger target for hackers.
He said retailers should certainly be exploring other options, such as cloud-based apps or other types of payment methods that don’t rely so heavily on older equipment.
“After Target it was pretty obvious there were some fatal flaws in the [point-of-sale] system,” he said, referring to the computer networks used by Target and other retailers to process payments. “I would have expected them to be better prepared."