New credit cards could foil some thieves, but companies slow to adapt

Home Depot’s investigation of a suspected hacker attack is renewing pressure on retailers and credit-card providers to strengthen security and update technology.

The largest home-improvement chain had not confirmed as of Wednesday that it had a data breach, first reported Tuesday, but said it was cooperating with banks and law enforcement investigating the possible incursion.

This latest probe comes a week after Bloomberg News reported that JPMorgan Chase & Co. and at least four other banks were targeted by hackers in a coordinated attack. Target Corp., Supervalu Inc. and Neiman Marcus Group Ltd. are among retail chains that have recently endured attacks.

“The criminals are getting smarter faster than the companies,” said Jaime Katz, an analyst at Morningstar Inc. in Chicago. If the Home Depot breach is on the same scale as Target’s incident last year, “there is obviously significant concern,” she said.

The incident raises fresh questions about retailers’ slow adoption of “chip and PIN” technology, which makes credit cards more secure, said Michael Sutton, vice president of security research for San Jose, California-based cloud-computing company Zscaler Inc.

“Retailers are now seeing firsthand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach,” Sutton said.

Some U.S. companies have fallen behind schedule in updating their systems with the technology. Credit card networks have set an October 2015 deadline for most U.S. merchants to upgrade their payment systems.

Home Depot is one of the companies that has been scaling up with new chip and PIN card readers at checkouts, but many American credit cards companies have not yet issued the cards.

Chip and PIN is considered more secure because it’s harder to copy account numbers and security codes from chips than from the magnetic strips on most cards used in the U.S. Chip and PIN cards also create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards.

“The technology has not been widely adopted in the U.S., primarily due to lobbying by retailers who were concerned about the cost of implementing the technology,” Sutton said.

Home Depot posted a note to shoppers on its website, urging them to monitor their bank and credit card accounts and report any suspicious activity. It is trying to reassure customers, saying the company will offer free credit monitoring and other help to those affected.

The hackers who targeted Home Depot probably took their time to retrieve the data without detection, said Trey Ford, global security strategist for Boston-based software security company Rapid7 LLC.

“They are efficient, they are focused, and they manage their risk and exposure the same way a businessperson would,” he said. “It’s kind of a slow game of cat and mouse.”

In most cases, retailers haven’t detected the data breaches themselves. Credit-card companies and law enforcement have uncovered them after seeing suspicious transactions, weeks or months after the information is first stolen, Zscaler’s Sutton said. That shows retailers have a long way to go to improve their security, he said.

“It is concerning that gigabytes of credit card data can be siphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to,” Sutton said.