One thing I haven't seen the popular media take Home Depot to task on is: Why didn't they review their security after the Target breach?
The Target thing was announced in December last year. Home Depot had between then and April-May to do a full review and see if they too were vulnerable. Not only did they fail to do that, but they failed to find this issue for 5 additional months(!).
I liken it to being a miner, watching the canary die, and then continue to work. Then you're shocked shocked that there was poisonous gas in the mine when you "found out" hours later.
I just looked up "Gross negligence" (per corporate law) and this seems to wholly fit. This is almost textbook Gross negligence but yet not a single prosecutor in the US has gone after Home Depot, why is that?
In fact it seems like Home Depot will walk away from this almost cost-free, no fines, no prosecution, no significant costs (the "free monitoring" is stupidly inexpensive, plus nobody actually utilises it), and only minor negative PR.
Maybe states should just fine companies 10c for every Credit or Debit Card number lost. That's a 5.6 mil fine for Home Depot, maybe then they'd take it more seriously.
> One thing I haven't seen the popular media take Home Depot to task on is: Why didn't they review their security after the Target breach?
?
It's right there in the article:
"After the Target theft, Home Depot’s chief executive, Frank Blake, assembled a team to determine how to protect the company’s network from a similar attack, said one person briefed on the project. In January, Home Depot brought experts in from Voltage Security, a data security company in California, these people said. By April, the company started introducing in some of its stores enhanced encryption that scrambled payment information the moment a card was swiped.
"But criminals were already deep in Home Depot’s systems. By the time the company learned on Sept. 2 from banks and law enforcement that it had been breached, hackers had been stealing millions of customers’ card information, unnoticed for months. The rollout of the company’s new encryption was not completed until last week."
re: "One thing I haven't seen the popular media take Home Depot to task on is: Why didn't they review their security after the Target breach?"
From the article:
"After the Target theft, Home Depot’s chief executive, Frank Blake, assembled a team to determine how to protect the company’s network from a similar attack, said one person briefed on the project. In January, Home Depot brought experts in from Voltage Security, a data security company in California, these people said. By April, the company started introducing in some of its stores enhanced encryption that scrambled payment information the moment a card was swiped."
10¢? $20 would be more like it paid to the government who would then, on request provide $15 as compensation to pay for the postage and time arranging your new payment card. Even then it's just a token of the costs that they've caused to be incurred.
So, $1 billion fine, do you think they'd do it again? Executives from other companies holding that many card details might actually think it was worth paying a few $100k to get their own systems in order then.
IMO if a company can still afford to pay profits to shareholders after making these sorts of errors then you're not hurting them enough.
I down voted your comment because I think commenting without reading the article takes away from the community. Had you spent even a small fraction of the time you spent writing actually reading the article, you would have seen what the other commenters are citing.
The Target thing was announced in December last year. Home Depot had between then and April-May to do a full review and see if they too were vulnerable. Not only did they fail to do that, but they failed to find this issue for 5 additional months(!).
I liken it to being a miner, watching the canary die, and then continue to work. Then you're shocked shocked that there was poisonous gas in the mine when you "found out" hours later.
I just looked up "Gross negligence" (per corporate law) and this seems to wholly fit. This is almost textbook Gross negligence but yet not a single prosecutor in the US has gone after Home Depot, why is that?
In fact it seems like Home Depot will walk away from this almost cost-free, no fines, no prosecution, no significant costs (the "free monitoring" is stupidly inexpensive, plus nobody actually utilises it), and only minor negative PR.
Maybe states should just fine companies 10c for every Credit or Debit Card number lost. That's a 5.6 mil fine for Home Depot, maybe then they'd take it more seriously.