In September 2014, when home-improvement company The Home Depot started investigating what it called ‘unusual activity’ after stolen credit-card and debit-card details appeared on a hacker website that was associated with the Target data breach, it knew it had become the latest United States–based retailer to fall victim.
By then, the United States’ fourth-largest retailer by revenue’s crisis-management strategy was almost exclusively focused on damage limitation. And what was already the largest data breach in history, with 56 million credit card accounts compromised over five months, subsequently got worse when an internal investigation in cooperation with law enforcement and third party IT security specialists confirmed that 53 million customer email addresses had also been stolen.
The Home Depot breach is just one of a number of similar attacks on retailers and financial institutions. In December 2013, United States–based discount chain Target Corporation was subject to an attack that compromised data from 40 million payment cards and personal information of up to 70 million customers. This led to a sharp drop in customer traffic and sales, and pushed the company to replace its chief information officer and chief executive officer.
Other retailers to have been attacked include Neiman Marcus Group, Michaels Stores, Kmart and Staples, while cyber predators have also targeted the computer systems at Adobe, AOL, eBay and Snapchat, restaurant chains PF Chang’s and Jimmy John’s, and supermarket chain SuperValu, among others.
The United States Federal Bureau of Investigation and Secret Service are also investigating attacks against financial institutions such as JPMorgan Chase.
‘With the events of 2013, many compliance professionals entered 2014 knowing that it would be the year of the data breach,’ says Mark Stanley, a compliance veteran with significant experience in the retail sector.
The three largest breaches in history have occurred over the last year or so, with retailers popular targets because they store huge amounts of financial data but often do not house security systems as sophisticated as those found at financial institutions. This in turn makes them vulnerable to new hacking software that targets point-of-sales (POS) systems.
The weak security on United States credit cards is partly to blame for the breaches. United States banks are only now being required to transition from cards with traditional magnetic strips to so-called EMV chip and pin cards (named after original developers Europay, MasterCard and Visa). These computer-chip cards have been in circulation in Europe and Japan for the last ten years, and this appears to have reduced their vulnerability to such large-scale attacks.
The United States transition to the new EMV cards will not be complete until well into 2015, though many retailers have already adopted the new terminals and can accept the cards at their cash registers. Ironically, The Home Depot was among the more proactive in this regard.
Many retailers (including data-breach victim Staples) have also signed on to accept new payment technologies that are based on the same principle as EMV and designed to reduce the value of stolen payment data. These include the iPhone 6 application Apple Pay, which allows the customer to securely make payments simply by waving their phone near the card terminal.
But while embracing technological solutions in an effort to prevent successful data breaches should be applauded, controlling the theft in the first place can be a more challenging proposition.
The Home Depot’s shares fell 2.5 percent following the data breach. Meanwhile, as of August 2014, Target had reportedly spent US$146 million in breach-related expenses, excluding insurance payments. And this does not take into account the financial implications of the breach for United States banks (estimated at approximately US$172 million for replacement of the stolen cards).
These figures confirm that the rapid escalation in data breaches over the last year or so has had extremely serious financial consequences for all involved. And this is before you factor in the cost of any resulting class actions alleging negligence. There is therefore little reason to assume that hackers will willingly relinquish such lucrative sources of income.
While the breaches at Target and The Home Depot are among the most costly, a statement by the latter in early November 2014 confirmed that the two attacks had something else in common: ‘Criminals used a third party vendor’s username and password to enter the perimeter of Home Depot’s network,’ said a spokesperson.
In a similar fashion, hackers entered Target’s systems via a Pittsburgh-based refrigeration contractor’s electronic billing account. Fazio Mechanical Services (FMS), which had been installing and maintaining refrigerator systems in Target stores since 2006, described itself as the ‘victim of a sophisticated cyber-attack operation’.
Although FMS provides similar services across five states for various supermarket chains and other companies (including subsequent data-breach victim SuperValu), crucially Target was the only client to whom it had remote access for electronic billing, contract submission and project-management services. As a result, no others were affected by the breach.
Hackers typically go after low-level victims or smaller third-party vendors in order to secure the credentials to access the network of a larger organisation. This means that Target effectively introduced the means by which it could be attacked by permitting FMS to connect to its internal networks. The Home Depot did a similar thing.
If United States retailers are to continue to relinquish some of their internal security controls and entrust them to third parties, which they inevitably must, they will have to better incorporate supply-chain due diligence into their key business operations. While this will involve a greater emphasis on data security, it must also involve the more diligent vetting of suppliers.
‘There is the continuing need for the supplier to be able to access the IT systems within the main company, but they generally lack parity of economic and risk imperative with the main company,’ says Stanley. ‘They are the unknown links in the chain and when the main risk component is the reputation of the target company, not them, no amount of contractual obligations will compel enthusiastic, and therefore comprehensive, protection.’
Stolen credentials alone were not sufficient for The Home Depot’s hackers to access its POS systems. It has been reported that they somehow acquired elevated rights that enabled them to navigate the barriers between the third-party vendor system and the company’s main (and supposedly more secure) computer network. The hackers were then able to deploy malware on self-checkout systems by exploiting a weakness in Microsoft’s Windows operating system (The Home Depot quickly installed the subsequent Microsoft patch but it was too late).
Of particular interest to compliance professionals is the fact that the 7500 self-checkout lanes targeted were those with reference names in the system that clearly identified them as payment terminals. In contrast, more than 70,000 standard cash registers were missed by the hackers because those payment terminals could only be identified by number.
Computer-security specialists often criticise retailers for not sufficiently isolating sensitive parts of their computer networks from their third-party vendor systems, particularly as it is something mandated by the Payment Card Industry Data Security Standard (PCI-DSS).
Created jointly in 2004 by credit card companies Visa, MasterCard, Discover and American Express, the PCI-DSS is a set of policies and procedures designed to optimise the security of card transactions and protect cardholders against misuse of private information.
While it is not known whether The Home Depot and Target were compliant with PCI-DSS at the time they were attacked, many other organisations are known not to be (fellow data-breach victim Neiman Marcus has been described as a ‘repeat offender’ in some quarters).
‘The C-suite tends to be too protective of their own patch rather than recognising this data-theft issue for what it is: a border-agnostic attack on the holder of the data,’ says Stanley. ‘Simply putting up fences around your own patch means you are driving attacks towards the most vulnerable parts of the chain.’
There can be little argument with the contention that poor security controls, and poor levels of compliance with guidelines such as those covered by the PCI-DSS, increase the likelihood of a data breach occurring. Meanwhile, the Home Depot case study has also provided compliance professionals with a useful lesson on payment-terminal identification.
Supply-chain due diligence
At the end of July 2014, Illinois-based sandwich chain Jimmy John’s confirmed that it had suffered a nationwide credit-card and debit-card data breach at 216 locations. As with other retailer victims, various banks started to notice fraudulent transactions appearing on cards that had recently been used at the chain.
By September, Jimmy John’s was able to confirm that customer card data had been compromised by an intruder who had stolen log-in credentials from third-party POS vendor Signature Systems, and used them to remotely access cash-register systems.
In a statement, the sandwich chain said, ‘Jimmy John’s has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors.’
The final step is arguably the most important as related risks can go beyond bribery and corruption to reputational risk. Effectively managing those risks is hugely challenging for organisations but they increasingly have no choice, with regulators pushing them to have a thorough understanding of the strength of their supply chains.
‘The C-suite in general look to the lawyers and the compliance teams to build the criteria that the suppliers must meet contractually,’ says Stanley, ‘but rarely is genuine help and guidance given to the suppliers as to the “what”, “how” and “when” these criteria must be met.’
Whether through breaches, hacks or Trojan-horse viruses, cyber security is among the most significant risk-management issues facing companies today. And while there is certainly greater awareness of cyber threats among organisations, this must translate into action.
When a security breach occurs compliance professionals want to quickly discover how and why it took place and how to minimise its impact on clients. But companies can also proactively manage the problem at its source. While this will inevitably involve improving data security, it also means conducting the appropriate due diligence on third-party vendors and securing the necessary representation and warranties.
‘We need to encourage a holistic, partnership approach to this,’ says Stanley. ‘We have an opportunity in compliance to show how much value this can add and, by investing in the long-term development of suppliers, can generate proper relationships that are of benefit to both parties. Without this holistic approach, the big companies will be continually looking to contractual remedies for data breaches; a real-life example of bolting the stable door.’
Suggestions for compliance officers
In addition to isolating sensitive parts of computer networks from third-party vendor systems, identifying them appropriately, and introducing other data security initiatives, compliance officers should also focus on:
- Minimising the impact of a data breach on clients by quickly learning how and why it took place and taking remedial steps to ensure it can never happen again;
- Minimising reputational damage, and its financial consequences, by controlling the media. The key to this is to manage the messaging. A statement such as the one issued by Jimmy John’s is timely and informative and, if done well, can reassure the public. The challenge is being able to send the right message at the right time.
However, in order to avoid having to take remedial steps, companies should better manage third party relationship risks at source. Things that compliance officers should think about here include:
- In October 2013, the Office of the Comptroller of the Currency (OCC) issued guidelines for financial firms requiring third parties to be fully integrated into an organisation’s enterprise risk management (ERM) and compliance framework – OCC Guidelines are equally relevant to non-financial institutions and could be applied to contract negotiations;
- Guidelines called for robust risk-assessment and monitoring processes to be put in place regarding third-party relationships;
- Guidelines also recommended that C-suites receive adequate risk reporting on third-party relationships;
- A successful risk assessment means gaining a thorough understanding of the policies and practices of the companies that supply your supplier, and then assessing that information against your risk appetite;
- A successful risk assessment may involve comprehensive audits, which should include integrity audits, as well as training and monitoring;
- Compliance officers must nurture and push their company’s compliance culture as far down their supply chain as possible.