The Home Depot data breach is huge, and yet the general public seems frustratingly unconcerned about it.
Who should worry about data breaches?
Everyone.
You as an individual are at risk. Your bank account is at risk. Your credit is at risk. You're at risk in ways you never thought about.
Merchants are at risk, maybe to the tune of tens of billions of dollars.
Banks are at risk. In fact, the whole financial system could be at risk.
And we hate to think about it, but the entire country is at risk.
And then there's the security implications of breaches of critical U.S. infrastructure imply. And the global geopolitical implications of cyberwar.
That's scary.
We know that's all out there, but today I'm going to put a single data breach under a microscope.
So, put on your lab coats and let's get started...
Today, I'm focusing on basic credit and debit transactions.
They're not basic anymore.
The electronic world we've constructed isn't impenetrable. In fact, it's pretty porous.
Almost every day businesses are attacked by hackers, by malware, by criminals intent on stealing proprietary information, trade secrets, and customer information. They're going after our payment card numbers, passwords, addresses - anything they need in order to steal or make money.
Corporate and government data breaches are so common now that there's a website dedicated to what's happening: www.DataBreachToday.com.
The data breaches that have garnered the most media attention recently are the Target Corp. (NYSE: TGT) and The Home Depot Inc. (NYSE: HD) thefts.
The more recent Home Depot breach dwarfs the one last year at Target. So let's zero in on what happened at the hardware giant and what's going to happen in the future.
Home Depot's more than 2,000 North American stores were all affected. Some 56 million Home Depot customers' payment cards were exposed - about 40 million Target customers' cards were breached.
Needless to say, the lawsuits are starting to fly.
One lawsuit, which is seeking class-action status, was filed on behalf of Home Depot customers even before the retailer admitted its systems had been breached. That suit anticipated the eventual admission and points to the fact that Home Depot knew about the breaches and didn't come clean, which would have helped customers who were subsequently affected protect themselves in some way.
Now banks are getting on the "sue Home Depot" bandwagon. Two credit unions are suing and seeking class-action status, claiming unspecified losses related to refunding fraudulent charges, reissuing cards, opening and closing accounts, stopping or blocking payments, notifying customers, increasing fraud monitoring, and lost revenues from a drop-off in accounts.
Whether banks can sue merchants for losses related to data breaches is about to be ruled on by a judge in a Target lawsuit. In that suit, Target is trying to derail a consolidated class action by a group of banks claiming the retailer is responsible for their losses. One estimate of Target's liability to the banks suing it is a cool $18 billion.
If the banks prevail, merchants' liability in the future will be staggering.
Between banks and customers suing, merchants are going to face charges of breach of confidence, privacy, fiduciary duty, negligent misrepresentation, and outright negligence. In short, the plaintiffs are accusing the merchants of failing to meet their legal obligation to protect customers and customers' banks.
Sometimes, as may be the case with Home Depot, there may be obvious (at least in my mind) culpability. And it may be clear that obligations were not met where they could be reasonably expected.
Apparently, Home Depot knew about the breaches at least five months before going public about it. An outside data security firm warned the retailer about "using out-of-date malware detection" systems. And a former Home Depot information securities manager has said he warned the company about its out-of-date antivirus software on its point-of-sales systems.
It was the point-of-sales systems that were compromised at both Target and Home Depot.
In fact, the U.S. Department of Homeland Security, based on U.S. Secret Service findings, warned Home Depot about Mozart (the name of the malware that infected the retailer's systems) infiltrating its checkouts.
Data security experts think Mozart to be a customized malware designed to attack Home Depot's point-of-sale systems. In other words, whoever designed Mozart understood, or knew how to get around, Home Depot's safety systems. Mozart was "customized" to the retailer's technology. And it was running for at least five months before anyone detected it.
In a nutshell, the malware used a "RAM scraper" to capture a customer's card and related information between the time - just milliseconds - it was swiped and the time it took Home Depot's systems to encrypt the customer's information.
Wow!
Home Depot encrypted its customers' information - but Mozart stole the data before encryption occurred.
What will the eventual costs to Home Depot be? What will merchants be responsible for in the future? What was the Secret Service doing looking into Home Depot's systems? What's out there in cyberland that we have yet to face, defend ourselves against, and combat?
Who knows?
All I know is that the Home Depot data breach proves that technology is a double-edged sword.
More from Shah Gilani: There's a new twist in an ongoing SEC probe into D.C.-Wall Street corruption, and it reeks of an insider trading cover-up. Welcome to the Washington-Wall Street "Corruption Corridor."
[epom]