GDP Blog

Instead of "One More Thing" it was One More Company Hacked

Posted by John Powter

Sep 14, 2014 8:06:00 AM

Last week was the Apple event where the new iPhone came out. home_depot-040155-edited You may not have even noticed that Home Depot was hacked.  In the past, we have written about Target and the millions they lost in hard/soft costs. The Target breach was 40 Million card holders; Home Depot is estimated at 60 Million. These incidents aren't even the lead story anymore because they happen so frequently. In this article we will review;

How hackers stole credit credit and debit card info
How to guard your data when using mobile apps
How point of sale malware works
The challenge the industry and IT professionals face

Just eight months after Target suffered one of the biggest retail hacking attacks in history, Home Depot announced on September 3rd, 2014 that it too had been hacked. Security researcher Brian Krebs discovered signs of the attack after learning that Home Depot was receiving calls from banks and law enforcement about suspicious transactions. According to a continuing investigation, the hackers may have had access to cards for the last six months.

It is not known how many credit and debit cards were stolen, but according to Home Depot, there is no evidence that debit card PINs were compromised. However, it is believed that hackers are creating counterfeit cards based on the ones stolen from Home Depot customers. Hackers can then change the PIN code and make withdrawals at ATMs. Hackers continue to sell stolen card data and the cardholder’s personal information on international crime websites.

It appears that hackers used point-of-sale (POS) malware to gain access to Home Depot card terminals. The malware, known as FrameworkPOS, is thought to be based on a similar type of malware used in the Target breach, known as BlackPOS. The malware attacks POS terminals using a Windows operating system. Originally, researchers believed that the similarities between the two types of malware hinted at the possibility that the same hackers attacked both Target and Home Depot. It is now believed that differences between the two are significant enough to indicate that separate groups carried out the attacks.

Home Depot says only customers who recently shopped in their brick-and-mortar stores in the United States and Canada are at risk, as there has been no evidence of theft for online shoppers. In response to the breach, Home Depot is offering free credit monitoring and identity theft protection for its customers. The Atlanta-based company has also replaced many of its card-swiping machines with new machines that accept more secure chip-enabled cards.

Companies that house credit/debit card data and personal information about millions of customers will undoubtedly continue to be major targets for hackers. Within the past year, Home Depot, Target, Albertson’s, P.F. Chang’s, and Neiman Marcus have all been breached.  There is little doubt there are many more we are not yet aware of. As a consumer, there isn’t a whole lot you can do to prevent this from happening, but there are ways you can prepare your business in case it gets breached:

Regularly monitor your bank accounts and credit card statements for unusual activity. Often, credit card companies will notice fraudulent charges, but they can’t catch everything. Vigilance is key.

If your company uses POS terminals, always ensure they have the latest anti-virus software installed.

Make sure your employees are well trained on how to protect company data. Teach them about social engineering risks, how to pick proper passwords, and about bring-your-own-device protocols.
Guard Your Data When Using Mobile Apps

Apps can do pretty much anything—they can find the best local restaurant, chart the quickest route through snarled city traffic, and track weight loss. Unfortunately, they can also steal your data.

In order for apps to do all the convenient, helpful things they do, they use customers’ personal information, such as a physical location, contact details and passwords. Unscrupulous data thieves can steal your employees’ devices and gain access to this valuable information, or siphon it through a rogue app that your employees downloaded without knowing the app was malicious. Hackers do this by adding their illegitimate elements to the popular app and then offering it for free on a ‘bulletin board’ or through a fake online store. Once employees download the phony app, hackers may have unfettered access to their devices.

To help thwart data theft attempts, encourage your employees to follow these tips for securing personal information when using apps:

Download apps only from official, trusted stores. Be extremely wary of apps from unknown sources.
Read the information about the app in the app store before downloading it. Verify that you are comfortable with the amount and type of personal information it will be using.
Clear out unused apps regularly—inactive apps are an open invitation to thieves. If you no longer use the app, uninstall it.
Install mobile security software to defend your device.
Erase any apps from the device before you recycle, resell or donate it, since those apps may still have access to your personal information. Do this by activating the “factory reset” option in the device’s settings.

How Point-of-sale Malware Works

Attacks against POS systems in are typically multi-staged:

First, the hacker must gain access to the victim’s network.
Hackers then infect the POS terminal with malware designed to steal data from the compromised system.
When a transaction is made with the POS terminal, encrypted customer data is unencrypted briefly. The previously installed malware collects this unencrypted data.
The customer’s personal information and card data is sent to an off-site server for the hackers to use or sell.

The Challenges IT Pros Face

Being an IT professional can be stressful because the cyber security landscape is always changing. New threats emerge, and software becomes outdated and it seems like hackers won’t rest until they’ve stolen every sensitive piece of data they can access. A recent study by the Ponemon Institute of 609 IT professionals in the United States reveals just how difficult the job can be.

Sometimes the technology is an obstacle:

Fifty-five percent of respondents don’t believe their organization is protected from advanced cyberattacks, and 63 percent don’t think they could stop a data leak if it happened.

Less than half (43 percent) of respondents believe their company has adequate intelligence to identify a cyberattack, and 45 percent aren’t sure if their security solutions can inform them of the causes of an attack.
Other times, it’s upper management:

Nearly four out of five respondents say their company’s upper management does not believe a data breach would lead to a loss in revenue, and 47 percent say upper management has a low understanding of security issues.
Often, the unknown is a big threat:

Less than half (44 percent) of respondents say they have a good understanding of the threats facing their company, and only 31 percent can say for certain that their company has lost sensitive data from a breach.

Home Depot and Target (who spend millions a year on cyber security) are victims.  How is your company protected?  Cyber security is the number one emerging risk in 2015, call your GDP Advisor 800-473-8697 to let us show you how our free inspection can review your network to identify any holes. 

Topics: Risk Management

Subscribe to Email Updates

Stay Connected

Popular Posts