This is part 2 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014.
Item: Home Depot lawsuits
What is (or was) it? Breach lawsuits against Home Depot allege negligence in their handling of payment card data.
Why it's significant? Home Depot claims to have been compliant with the PCI standards in 2013 but was undergoing its 2014 PCI compliance evaluations when the breach was discovered. In a statement to investors, Home Depot concluded that their position was tenuous and that they would likely have to settle claims. At Rendition Infosec, we think that the most significant aspect is the PCI compliance angle. Although Home Depot was compliant in 2013, they were clearly not at the time of the breach. If you work breach investigations, you know that what the last auditors saw is not what you are seeing now. Announced inspections are sort of like that, companies get a chance to clean up. Attackers don't announce that they are coming. It will be interesting to see how these cases settle out and how they impact later breach investigations and lawsuits.
Could it have been prevented? Yes - of course it could have been. The fact that the company was found to not be compliant with PCI standards in 2014 (and remember that compliant != secure) means that Home Depot clearly could have done better. A company that can't even remain compliant with PCI is like an office building manager who decides that railings are no longer needed in the stairwell. Both represent an abject failure to meet basic safety standards. Of course it's always tempting to be a Monday morning quarterback on these sorts of things, but this was a pretty egregious case that impacted a lot of people. Home Depot had the means to protect their network, they just failed to execute.
Stay tuned for more installments in the Infosec year in review.