Does Size Matter in a Data Breach?

Posted on by Fahmida Y. Rashid

Digital priavcyCyber-criminals stole approximately 56 million cards in a five-month attack against Home Depot's point-of-sale systems, the home improvement giant said last Friday. Many media reports honed in on the fact that the breach was larger than the attack that hit Target last year, where 40 million credit and debit cards were stolen.

"56 million cards may not be as big as the huge Heartland Payment Systems breach, but it eclipses both the TJX [TJ Maxx] and Target breaches, and that’s going to cost Home Depot a lot of money," said Trey Ford, the global security strategist at Rapid7.

Size Doesn't Matter
Obviously, the number of cards stolen matters to Home Depot, since it could impact the total price tag for remediating the breach. The fact that the breach is measured in 'millions of cards' also matters to Home Depot "because no retailer wants that kind of press," said Geoff Webb, the senior director of solution strategy at NetIQ. But does the size of the data breach matter for anyone else outside of Home Depot? Not necessarily. 

"Does size matter?  Not of the haul, and not to the defenders," said Webb.

The consumer whose card was stolen doesn't really care if he or she was one victim out of a thousand, or one victim out of 56 million. The effect on that individual—getting a new card, reporting fraudulent transactions, dealing with the aftermath of identity theft—is still the same. For IT security practitioners watching the events unfold, the size of the breach may not be as relevant as the nature of the attack.

"It is not about the number of accounts compromised or duration that the attack took place. It is about the attack vector itself," said Morey Haber, the senior director of program management at BeyondTrust.

Defenders should be focusing on the fact that the malware remained undetected for months and that attackers were patient and skilled enough to compromise very specialized equipment, Haber said. 

Response Impacts Size
On one level, it makes perfect sense that more card numbers were stolen from Home Depot than from Target. Target's systems were infected for three weeks, while Home Depot’s systems were infected for five months. Give attackers more time, and they will steal more.

"Time is statistically on the side of the attacker," said Kevin Epstein, vice-president of advanced security and governance at Proofpoint. Organizations need "rapid, automated confirmation and threat response or incident response" to minimize the amount of data that gets stolen.

Defenders need to look at their threat detection and incident response capabilities so that they can minimize the amount of time attackers can lurk on their networks, stealing data, Epstein said.

Could Have Been Bigger
If the number of records compromised is actually smaller than it could have been because the organization had good network segmentation, fast detection, or proactive security response, then discussing the size of the breach is beneficial. Defenders can see quantitatively how these security practices helped contain the possible damage. 

The Home Depot breach could have been even bigger had attackers managed to infect all the point-of-sale systems. As it was, the malware infected specifically the point-of-sale systems used by the self-checkout lanes and not the manned checkout counters.

“It has already been suggested by some commentators that if the attackers had been able to target something other than the self-checkout POS systems, then the number of stolen cards would have been much higher,” Webb said.

It’s important to remember that any device, even a headless automated self-service checkout kiosk can be compromised. Defenders need to focus on security best practices such as network segmentation, whitelisting technologies for point-of-sale systems, and Web filters. Employees shouldn't use point-of-sale systems for personal computing or browsing the Web.

“In the end, whether it's 50 Million or 60 Million, is of little real importance. The problem is that the card processing systems at large retailers remain under sustained attack, and that as of now, the score is 2-0 to the attackers,” Webb said.

Beyond satisfying our collective curiosity, does knowing the size of the data breach help you do your job more effectively? Let us know what you think.

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

Business Perspectives

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community