You remember the Target breach, right? That one took place less than a year ago, but its “repercussions are still rippling,” Forbes said. Well, this one is even bigger.
How much bigger? Let’s compare.
To date, the fallout from the Target breach has cost that company around $148 million, most of which has gone toward “settling actual and potential breach-related claims, mainly by payment card networks,” according to CNBC.
The Home Depot breach is still unfolding. On Tuesday, September 2, two large batches of payment card data showed up on the underground store Rescator. Since then, nine new batches have followed. While we don’t yet know how many payment cards are affected, ABC News reported the total could amount to 60 million.
That’s far more than the number affected in the Target breach… to the tune of 20 million more.
Why is the Home Depot data breach so huge?
Because it took so long to detect it. Only once these criminals chose to take the Home Depot data to market did anyone realize this was happening. As a result, they’ve probably been in possession of this data for a whopping five months now, since late April or early May.
Allow Brian Krebs (the investigator who originally broke the story) to connect the dots:
If that is accurate – and if even a majority of Home Depot stores were compromised – this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”
Three weeks compared to five months. There’s the difference.
How could it have gone undetected so long?
Kenneth Dort, partner at the intellectual property practice group Drinker Biddle & Reath, takes an unsympathetic view:
It doesn’t exactly say a lot of good things about their data security systems if something was able to go on for months and they didn’t notice” (source).
But let’s not judge Home Depot too quickly. A long lag between infiltration and detection is not unusual – quite the opposite; it’s normal. Did you read the 2014 Verizon Data Breach Investigation Report? If so, you recall that most breaches (85%) go undetected for weeks, if not months (13%).
While a discovery time of five months is, to be sure, a long one – not to mention painful and embarrassing – it’s also not an anomaly.
Next question, how much does the fallout a data breach like this cost? We’ll explore that question in our next post. See you Monday!