Why Home Depot Is No Target When It Comes to Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bloomberg.com/news/2014-09-19/why-home-depot-is-no-target-when-it-comes-to-data-breach.html

In the annals of hacker victims, Home Depot Inc. (HD) is no Target Corp.
(TGT)

Though Home Depot’s recent data breach compromised 56 million payment cards
-- more than the 40 million in Target’s incident -- the company isn’t
predicting a hit to revenue and investors have been unfazed by the attack.
Target, in contrast, suffered a sales drop-off and a stock slump that
contributed to the ouster of Chief Executive Officer Gregg Steinhafel in
May.

Home Depot, the world’s biggest home-improvement chain, has persevered in
part because the news of its attack broke in early September -- a
relatively benign time. Americans typically fix up their homes in the
spring and early summer. Target’s hackers, meanwhile, infiltrated its
computer system during the all-important holiday-shopping season.

“Target got hit at the worst possible time,” said Joseph Feldman, analyst
at Telsey Advisory Group in New York. “For Home Depot, the peak summer
selling season was over.”

Home Depot also came forward more quickly with a public admission. The
Atlanta-based retailer made its first disclosure about a potential breach
on Sept. 2, the day it learned from banks and law enforcement that hackers
may have infiltrated its defenses. It then confirmed that it had been
attacked on Sept. 9 and followed up yesterday by giving the number of
payment cards affected.

An employee cuts a piece of plywood for a customer at a Home Depot Inc.
store in... Read More

Target’s Lag

In Target’s case, the retailer learned of a possible breach from law
enforcement on Dec. 12. The company disclosed the attack a week later,
following a report by independent journalist Brian Krebs. In addition,
Target had ignored warnings from its hacker-detection tools, missing an
opportunity to stop the problem sooner, according to a Bloomberg
Businessweek report in March.

Krebs also reported on the Home Depot attack, breaking news on the breach a
few hours before the home-improvement chain made its own statement. Still,
Home Depot’s promptness in sharing information with customers helped
improve its standing, said Jaime Katz, an analyst at Morningstar Inc. in
Chicago.

“Home Depot did a good job of being as transparent as possible to put their
customer’s fears at ease,” she said.

The company also is benefiting from data-breach fatigue. After several
retail hacker attacks over the past year, shoppers simply aren’t as
concerned anymore, said Seth Basham, an analyst at Wedbush Morgan
Securities in New York.

No PINs

Credit-card customers aren’t liable for charges made without their consent,
limiting their exposure. Home Depot has said there’s no evidence personal
identification numbers for debit cards were compromised. That data is
especially sensitive because it can be used to withdraw cash from an
automated teller machine. Purchases made online and at stores in Mexico
weren’t affected either.

Shoppers ride escalators near a Target Corp. store at the Atlantic Terminal
Mall in the... Read More

“Consumers were conditioned, somewhat, from the fallout at Target --
they’re a little less paranoid,” Basham said.

Home Depot expects to pay about $62 million this year to recover from the
incursion, including additional costs for call-center staffing and legal
expenses. Insurance will cover $27 million of that tab, the company said.

For now, the hacker attack hasn’t dented Home Depot’s growth projections.
The chain reaffirmed its revenue forecast yesterday, predicting a gain of
4.8 percent.

Stock Gains

Investors have mostly shrugged off the Home Depot breach. Since Aug. 29,
the last trading day before the hack was first made public, the shares have
slipped 1.2 percent. In contrast, Target’s stock has only recently returned
to where it was before its incursion. After its breach was revealed, the
shares fell in seven of the following eight weeks.

Home Depot climbed 0.3 percent to $92.34 today in New York, marking the
fifth straight day of gains.

It helps that Home Depot was in generally better shape than Target, which
had already been suffering from sluggish U.S. sales and a botched expansion
into Canada. The Minneapolis-based discount chain also has been contending
with more competition from e-commerce rivals such as Amazon.com Inc., and
it’s been late to move into small-format stores, an area where Wal-Mart
Stores Inc. is making gains.

At Home Depot, a rebounding housing market has fueled growth. The stock was
trading at an all-time high at the end of August, just before the retailer
acknowledged a breach may have occurred.

“For Home Depot, it’s almost an $80 billion annual revenue company and it’s
hard to see how $100 million -- or whatever the costs from the breach wind
up being -- will materially change it,” Katz said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!