The bill for Home Depot after its sales registers were hacked: $19.5m

Re: The BORG

>>How many more compromises of retail transactions will there be for which resistance is futile?

I dare say resistance is futile for all of them. There is literally nothing a consumer can do to adequately protect their information if they are conducting business using anything other than actual cash.

Fortunately consumers, generally, only experience mild inconvenience by being forced to update auto payment systems with the latest credit card details once or twice a year. (you likely detect some sarcasm in my use of "fortunately") However in some cases, when consumers pay with a card directly tied to their bank account (debit card) they might have to go inside their bank in order to contest the charges. My wife recently had to do that when someone decided to go on a shopping spree in a country she's never been to.

That said, what really gets me mad is that the dollar amounts for the settlements are incredibly low. $0.25 per lost card info? At that rate big box retailers can simply continue doing business like they are now and just build in a $0.25/transaction fee as a fixed cost. If you want real change then these amounts need to be bumped up to something reasonable like $10 per card per offense and escalate from there.

Re: The Death of local hardware stores

Yeah, I remember ours: open between 9 and 5 weekdays and up til noon on a Saturday.

Real friendly for the commuting worker (ie the vast majority of the locals).

By the time I had the tap apart and discovered the problem they were closed again.

Hard to see how Home Despot took them out of the picture.

Re: Surprised?

No.

AV is expensive. IT pros are expensive too. Besides, its the fault of the bad guys. Blame them.

Re: Security warnings?

It most likely wouldn't have made any difference what AV vendor they were using or how recently it was updated. Traditional signature-based AV would probably not have known anything about the malware variant used against Home Depot. I don't think the AV not being updated has anything to do with the breach except that the fact it wasn't being updated and the weak passwords give an indication of the security posture of the company and the state of the security program in general. The lawyers will argue that if you are not doing the basics, then you are not dong your due diligence and putting in place accepted industry-standard measures to adequately protect customer's data.

Re: Home Depot has learned a valuable lesson here

No. I disagree. They didn't learn a damned thing. They aren't taking any responsibility for their inaction or actions. They still maintain by the agreement that they did nothing wrong and won't accept liability. This is pure BS.

Yep, $19.5m is a joke.

56 million credit card numbers? Pretty sure those things are worth at least $5 a pop, probably more if they come with matching customer data and verification codes, so we're talking $280 million right there.

In other words: it would be a viable business venture for Home Depot to sell its own customers' credit card numbers to Bad People, pocket the money, pay the "compensation", and walk away with a quarter-billion in clear profit.

Re: Software nasty installs itself on cash registers?

Yep, looks like they didn't update their point of sale software for more than 7 years.

Re: Software nasty installs itself on cash registers?

Linux machines could be infected just as easily. Had a customer where an intruder got into puppet (which was on the network edge to manage the remote offices and telecommuters) and put in a script to turn on X11-forwarding over SSH. The configuration looked like they intended for user's sessions to connect to a remote server, which would connect back to the local machine so that they could capture every keystroke, mouse movement, and window.

WIndows had nothing to do with the Home Depot breach, it was all insufficient administration.