Nocera: Consumers targets in criminal card games

What is it going to take to get serious about data breaches?

I ask this question in the wake of the recent Home Depot breach, in which the “bad guys” - presumably cybercriminals in Russia - apparently penetrated the company’s point of sale terminals and came away with an untold number of credit and debit card data. (Home Depot acknowledges that all 2,200 stores in the United States and Canada were likely hacked but hasn’t yet revealed the number of cards from which data were stolen.)

This, of course, comes after the Target breach of late 2013, in which some 40 million people had their credit card information stolen. Which comes after the Global Payments breach of 2012 and the Sony breach of 2011. All of which come after the T.J. Maxx breach of 2007, in which 94 million credit and debit card records were stolen in an 18-month period.

That’s right: Seven years have passed between the huge T.J. Maxx breach and the huge Home Depot breach - and nothing has changed. Have we become resigned to the idea that, as a condition of modern life, our personal financial data will be hacked on a regular basis? It is sure starting to seem that way.

The Home Depot breach came to light in the usual way. On Sept. 2, a reporter named Brian Krebs, who specializes in cybercrime and operates the website Krebs on Security, broke the news to his readers. Krebs, who is as deeply sourced as any reporter in the country, almost always breaks the news of a new breach. He also reported that the “malware” had been doing its dirty work at Home Depot since April or May. And he discovered that millions of card numbers were being sold on a website called Rescator.cc, which Bloomberg Businessweek recently described as the “Amazon.com of the black market.”

(Interestingly, they are being sold in batches under the names “American Sanctions” and “European Sanction” - an apparent reference to the recent sanctions against Russia.)

The company - “always the last to know,” Krebs says - hastily pulled together some security experts who, sure enough, confirmed the breach. In this instance, Home Depot released a statement saying that it was investigating the breach on Sept. 3, the day after the Krebs report, and confirmed the breach on Sept. 8. As these things go, that’s lightning speed.

Of course, in its materials, the company insists that it cares deeply about its customers’ data and will stop at nothing to plug the leak. But the damage has already been done. Home Depot also claims that debit card PIN’s were not stolen. There is little solace in that, however; the crooks use weak bank security to change the PIN, after which they can use it. Sure enough, Krebs’ banking sources have told him that they “are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.”

Why the rash of breaches? “It’s easy money,” said Avivah Litan, a security expert at Gartner Inc. “The criminals are distributing this malware, so why not use it? It’s like winning the lottery.”

Kurt Baumgartner, a senior security researcher at Kaspersky Lab, noted that months before the attack on Home Depot began, the FBI alerted retailers about being more vigilant about point-of-sale cyberattacks. The Wall Street Journal reported over the weekend that Home Depot had, in fact, begun the process of strengthening its systems. But it moved so slowly that the criminals had months to vacuum card data before being discovered. Meanwhile, Bloomberg Businessweek found two unnamed former Home Depot managers who claimed that they were told to “settle for ‘C-level security’ because ambitious upgrades would be costly and might disrupt the operation of critical business systems.”

For years, the banks and the retail industry have spent more time accusing each other of causing the problem than seeking a solution. By October 2015, the United States is supposed to move to a more secure card system, using a chip and PIN instead of a magnetic stripe, as Europe did years ago. But even that won’t put an end to data breaches. It will make it harder and more expensive for criminals to crack but not impossible.

Which is why the federal government needs to get involved. With the banks and retailers at loggerheads, only the government has the ability to force a solution - or at least make it painful enough for companies with lax security to improve.

As it turns out, there are plenty of congressional initiatives to crack down on companies with weak data security, including a bill that was filed in February and co-sponsored by Sens. Ed Markey of Massachusetts and Richard Blumenthal of Connecticut. When I asked someone in Markey’s office whether the bill was getting any traction, she replied, “It’s 2014.”

Apparently, we’re on our own.

Joe Nocera is a columnist for the New York Times.