Tuesday, September 30, 2014

About the Home Depot breach

This is no longer a secret: the Home Depot was breached and scoundrels potentially got their hands on credit card information. What is unteresting, though, is the bits of information that were published by Ars Technica
  • The security architect had a run in with justice for sabotaging the network of his previous company 
  • Some of the personal in the security team left due to management ignoring their warnings and recommendations

The former may be okay: I am about giving second chances to people, however hiring someone who demonstrated a lack of maturity in handling a previous departure as the main  security guy for a big store that handles millions of credit card transactions per day is risky at the very least.

The second seems like a broken record: security people got really concerned, put the info in an email or a document, and are ignored by the management, who claims that security people cry "wolf!" all the time. That may be, but given the number of recent breaches, I think that we don't hear enough "wolf."

However, what concerned me the most is a sentence in the NY Times article

Thefts like the one that hit Home Depot — and an ever-growing list of merchants including Albertsons, UPS, Goodwill Industries and Neiman Marcus — are the “new normal,” according to security experts.

That is really saying that your banker can claim it's normal for a bank to be rob but they won't close the vault, or for a surgeon that people die all the time, but they won't clean their hands before surgery. 

 It doesn't have to be this way, but security costs (a bit) and requires people to adapt. The latter is, from what I have encountered so far, the hardest: people don't change their habits even when these very habits are dangerous and putting the company and its clients at risk. How many times have I heard "yeah, these servers absolutely need access to the Internet" or "yeah, all our employees can connect to the network any time of the day or the night, any day."

I have read estimates that put the Target breach at around $1 billion for the resulting credit card fraud. The one from the Home Depot is slated around $3 billion. All together, that's $4 billion, roughly the cost of a team of 50 security specialists for more than 50 years. It would be naive to say that this is a victimless crime: in the long run, we all pay for the mistakes of these companies, through higher credit card bills and premiums.