Home Depot, Apple cyber attacks highlight variety of methods used by hackersReprints
Recent highly publicized cyber attacks against Home Depot and Apple highlight the variety of methods hackers can use to steal sensitive customer data, as well the crisis management strategies companies can take in the wake of an attack.
While hackers that compromised Apple Inc.'s iCloud data storage network to steal personal photos of female celebrities used a combination of attacks and social engineering to guess account logins and passwords, the hackers that attacked The Home Depot Inc. used a new variant of a sophisticated malware strain deployed late last year to attack in-store payment systems at Target Corp. stores.
Home Depot has a total of $105 million in cyber insurance coverage, with American International Group Inc. providing the first layer of $10 million of primary coverage above the retailer's self-retention of $7.5 million, market sources say.
Although Home Depot said last week it's unclear how many of its customers were affected, the New York Times reported that more than 60 million credit card numbers may have been stolen in the attack on the home-improvement chain. That would make it the largest breach of a retailer's computer network, topping the 40 million credit card numbers pilfered in the Target breach.
The Home Depot and Apple attacks have at least one thing in common, said Jerry Irvine, Chicago-based chief information officer of outsourced information technology adviser Prescient Solutions.
“The common denominator in both these cases is that hackers attacked the weakest link,” Mr. Irvine said.
Another noteworthy aspect of Home Depot and Apple attacks has been the manner in which company executives publicly acknowledged them.
In a Sept. 2 statement, Apple said “certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions,” but also denied that release of the photos “resulted from any breach in any of Apple's systems.”
“Apple is saying, "It's not our fault,' but there are some vulnerabilities they knew about back in May,” said Christopher Nucifora, Hackensack, New Jersey-based managing partner and chair of the technology practices group at Kaufman Dolowich & Voluck L.L.P. “When you have an unlimited number of password attempts, it's an invitation to hackers. Generally, Apple does a good job on security, but this is a bit of an eye-opener.”
Breaking its silence after a week of media reports about the breach, Home Depot finally confirmed on Sept. 8 that its “payment data systems have been breached,” which it said could affect customers as far back as April using payment cards at nearly all of its 2,200 U.S. and Canadian stores.
The most noteworthy aspects of the Apple and Home Depot public statements were their timing, said Shawn Ram, executive managing director, Western regional manager and national technology practice leader at Crystal & Company. He said both companies apparently conducted thorough internal investigations before making any public statements.
“Both of these instances could become landmark cases down the road, because neither Apple nor Home Depot has readily communicated what happened,” Mr. Ram said. “They are taking the opposite tack from Target, which disseminated information as soon as it came in. Prior theory around cyber crisis management was to admit fault and notify quickly, but the experience Target had has caused many to wonder if there was a better way.”
Larry Walsh, vice chairman of Alexandria, Virginia-based consultant The Hawthorn Group L.C., said the Home Depot and Apple public relations strategies do vary from the conventional wisdom of quickly admitting when a cyber breach occurs.
The “drip drip” nature of the Target response and subsequent media and customer backlash affected how companies respond to data breaches, Mr. Walsh said. “Target showed "creeping candor.' They got to the whole truth eventually, but it they did a lot of damage to themselves in between.”
Despite their improved responses, he said reputational damage to Home Depot and Apple brands is still possible, particularly for Apple, which has made cloud computing compatibility a key feature of its entire product lineup.
“One of the things most concerning for Apple is that they are in the iCloud business, whereas Home Depot is known for selling wood,” he said. “This is an area where Apple is supposed to be bulletproof.”
In addition to reputational risk, companies suffering cyber breaches face regulatory and legal consequences if they lose customer data, Mr. Nucifora said. “What's going to happen with Home Depot from a Federal Trade Commission enforcement perspective?” he said. “The FTC has been very active in enforcement and may be looking to drop the hammer.”
As of last week, the FTC had not confirmed it was investigating the Home Depot breach, though five states had launched a joint probe into its effects on customers.
Many class action lawsuits brought by consumers and others against firms that have had data breaches have been dismissed because of a lack of definable losses by the plaintiffs. This trend may not continue, Mr. Nucifora said.
“When it comes to class actions, companies have thus far been lucky in defending them and there have been no cognizable losses,” he said. “At what point does the court determine that's there is a cognizable loss, which means there's a whole other level of fees, losses and damages?”
Most experts advise a mix of risk mitigation via cyber insurance and risk transfer to handle potential monetary, legal and regulatory fallout from a cyber breach.
“The magnitude of the Target and Home Depot breaches is an indication of where this is going,” Mr. Nucifora said. “This is why risk managers need to sit down with their team to figure out if they have enough (cyber insurance) coverage, because someday they will regret not purchasing it.”
Target, the discount retailer, said in August that it had maxed out its $90 million in cyber coverage, but its gross expenses connected to the massive breach last December reached $235 million.
Earlier this month after the Home Depot and Apple breaches, broker Marsh USA Inc. unveiled a new cyber insurance policy with limits of more than $300 million, above a minimum $100 million self-insured retention that is intended to help large companies address potentially catastrophic cyber exposures, said Bob Parisi, New York-based network security and privacy practice leader at Marsh.
“The target for this is companies that view this as a balance sheet issue and have the cash or wherewithal to manage this below the $100 million exposure level but are worried about a catastrophic exposure and want to put coverage in place,” he said.