Home Depot (HD 2.55%) investors had to be expecting the worst. The data breach the DIY superstore suffered far surpassed the one that hit Target (TGT +0.68%) last year, and the discount department store chain is still coming to grips with the fallout.
Where some 40 million account holders were compromised by the hackers that infiltrated Target's accounts, 56 million Home Depot account holders had their data breached.
The hack attack didn't take Home Depot offline. Photo: Flickr user Mike Mozart.
Yet despite the enormity of the revelation that hackers were compiling their information haul over a five month period -- Target's happened over just three weeks -- there's barely been a ripple in Home Depot's stock. After a slight drop following the discovery, it's bounced right back. Target's stock, on the other hand, remains depressed.
Why the different responses?
Building a case for a discount
Is it "data breach fatigue?" Have we had so many of these break-ins that at this point consumers are just resigned to them occurring?
Between Facebook's violating our privacy regularly, Google admitting they're reading our emails, and the NSA screening every call, text, and email, maybe hacking into our credit card accounts isn't such a big deal anymore.
Not really. Even though the hack attack at TJX (TJX 2.15%) remains by far the biggest breach of confidence consumers have suffered to date, with over 90 million accounts stolen over an 18-month period, the Target and Home Depot episodes are still enormously significant events.
There are several differences between the two incidents that make the fallout from them understandable.
Shhh! If you ignore it, maybe it will go away
First, Target badly mismanaged its response to the hack attack. It didn't let its customers know there was a problem, but rather began working behind the scenes with banks, which immediately started placing limitations on how much consumers could spend on their credit cards.
Coming as it did right at the start of the Christmas holiday shopping season, consumers were rightly surprised they were having purchases rejected.
As I recounted last year, I was one of those Target customers whose accounts were comprised. I was only alerted to something being amiss when I received an unidentified robo-call saying I needed to speak to someone about my debit card account. It wasn't till weeks later that I and millions of other Target customers found out what the problem was.
In comparison, Home Depot was pretty upfront about the breach, and fortunately for it, the hacking occurred during the lazy days of summer and not when everyone was scrambling to buy gifts.
The site Krebs on Security was the first to suggest on Sept. 2 that there might be problems with Home Depot accounts, and when the company was contacted it admitted it was looking into it. A week later the DIY center confirmed that customer accounts at its U.S. and Canadian stores had indeed been compromised, though not those in Mexico, or online.
It announced last week that all of the malware that had been installed on its system, malware that was uniquely built to attack Home Depot and has not been seen elsewhere, had been removed.
Tales from the crypt
Second, it wasn't just Target account info that was stolen, but encrypted PIN data as well.
Because of the layers of security embedded in the encryption code, the likelihood of actual fraudulent activity occurring was small -- data entered at register keypads is encrypted three times, with the code for breaking it stored offsite at the payment processor. But it was still unsettling that such sensitive information was taken.
That didn't happen at Home Depot: there's not the same feeling of violation that consumers felt after Target's breach.
It's a matter of trust
In the end, it seems to come down to time and response. For Target, it couldn't have happened at a worse time -- and the company compounded the problem by not letting its customers know there was a situation.
Even so, despite the layers of encryption utilized to protect accounts, leaving all that sensitive data in the hands of retailers is still a dicey proposition.
Each time companies raise the bar of protection, hackers vault over it with even more sophistication. The business world is stuck playing catch up.
Maybe Apple's (AAPL +1.50%) new payment service, Apple Pay, is a solution. It removes the need for all that security by taking the data away from the retailer and locking it in a vault behind a fingerprint on your handheld device. You never give up control.
If nothing else, the latest data breach incident provides an impetus for exploring such decentralized data storage, and should serve as a warning to other businesses to be proactive in their approach to security and upfront with their customers.
