This month Home Depot announced that it was hacked and that 56 million credit card accounts were compromised, and that around 53 million customer email addresses were stolen as well. This Wall Street Journal article indicates that the hackers breached security in the following manner (among other things):
(1) Took advantage of the security credentials of a third party vendor;
(2) Entered the main system using a Microsoft operating system vulnerability;
(3) Targeted self-checkout payment terminals data storage but avoided the cash register data storage (self-checkout was labelled in a recognizable way, whereas cash register was labelled numerically making it difficult to find); and
(4) For five (5) months, lurked beneath the surface, collecting and transmitting data during normal business hours and erasing evidence of its sale.
While my posts focus mainly on business law issues, prior to my legal career I worked as an IT professional (for 11 years including 3 years of coding and 7 years as an IT manager), and the Wall Street Journal article reminded me of the vulnerabilities faced by companies that are managing significant volumes of data, and the potential embarrassment and credibility issues that result from situations like the Home Depot situation.
A company and its data security team should be alert to news articles like this one, or legal cases, as they will help to illustrate risks which can be used to develop methodologies and protocols. A suggested security protocol could be composed as follows:
(1) Periodic (daily/weekly/monthly) audit of third party vendor IDs by HR, data security staff, and project managers, to ensure that they are not active longer than they need to be;
(2) Data security and data architect collaboration to separate user information and credit card data so they are not stored together;
(3) Data security-mandated access restrictions to prevent (even restricted users) from accessing all sections of data;
(4 Periodic (daily/weekly/monthly) audits by data security personnel of IDs that have access to sensitive information;
(5) Data security and data architect collaboration to disguise confidential parts of the site to prevent easy targeting of sensitive information by hackers;
(6) Data security periodic (monthly) stress tests of the system to look for new techniques to breach the system (rather than relying on industry standard security protocols);
(7) Daily alerts to multiple levels of personnel (inventory personnel, data base personnel, data security personnel) to notify when data is being extracted whether usually or unusually;
(8) Periodic training to staff (at time of hire, and, at minimum, at quarterly training refreshers) to react quickly when alerted (and so on); and
(9) Daily scan of news and legal articles to uncover security breach situations at other businesses, to develop a “risk database”, and to compare the security protocols to your business.
While this is not an exhaustive list, it sets out the basic elements of development of a security protocol, which are: who is responsible, what are they doing, and how often are they doing that.
The protocol could also include the PR aspects of dealing with a hacker attack.
The Wall Street Journal article indicates that Home Depot had developed a protocol in the event of a hacker attack: a 45-page playbook which included media messaging, and executive responsibilities. While these are sensible points that a large enterprise should include in their protocol, the protocol should have very specific tactical measures to reduce the deleterious effects of a hacker attack.
Takeway:
- Regardless of the size of the business, and whether the payment processing is handled internally or outside of the company, the company CTO should develop a security checklist, and should periodically report back to management on the risks inherent in the company’s existing system, with reference to current security breach situations in the news and otherwise.