Home Depot Security Breach Case Study
INDIVIDUAL CASE ANALYSIS
Home Depot Security Breach
Prepared By
ADAEZE ‘DAISY’ OCHIEZE
PRESENTED TO
Dr. C. Harben
MBA 6090
Strategy Design and Implementation
FALL 2014
Contents
Introduction 3
Decision Makers 4
Problem Statement 4
Identify Alternatives 4
Analysis of Alternatives 5
Alternative One 5
Alternative Two 6
Alternative Three 7
Alternative Four 7
Alternative Five 8
Recommendation 9
Implementation 9
Evaluation 10
Generalization 11
References 12
Introduction
Founded in 1978 by Bernie Marcus, Arthur Blank, Ron Brill, and Pat Farrah, the Home Depot is an American retailer of home improvement and construction products and services. From the beginning, Home Depot associates have been known to offer the best …show more content…
customer service hence their philosophy – “whatever it takes” meaning to cultivate a relationship with the customers rather than merely processing a transaction. With headquarters in Georgia, Atlanta, Home Depot transformed the home improvement industry by guiding and training customers through home projects such as handling power tools, painting, and changing floor tiles.
In the 1980s and 1990s, Home Depot experienced significant growth with 1989 marking the celebration of its 100th store opening.
In 1994, Home Depot debut in Canada acquiring Aikenhead’s home improvement center. In 2001, Home Depot made its second international entrance in Mexico where it acquired Total Home. In 2006, Home Depot extended its reach in Asia and acquired China, Home Way, a 12 chain store.
Home Depot’s strategy includes being in alliance directly with industry leading manufacturers such as BEHR paint, LG appliances, and Ryobi tools etc. Its values include taking care of “our” people, giving back to the communities, doing the right thing, creating shareholder value, building strong relationships, and respect for all people.
Mid-September, 2014, Home Depot confirmed a huge security theft that compromised around 56 million credit/debit cards from back in April, 2014. According to Home Depot, criminals used a third party vendor’s user name and password to enter the perimeter of its network which allowed the hackers elevated rights to navigate portions of Home Depot’s network. As a result, separate files containing email addresses, passwords and payment card data were compromised. Home Depot also confirmed that the malware used to achieve this has not be seen prior to this attack and was designed to evade detection of antivirus …show more content…
software.
Home Depot with the law enforcement is currently investigating this breach while looking into several alternatives to further enhance its security measures ongoing.
Decision Makers
The internal decision makers include top executives such as; Chairman and CEO – Frank Blake,
Executive Vice President and Chief Information Officer – Matt Carey,
President, U.S Retail – Craig Menear,
Executive Vice President – Corporate Services & Chief Financial Officer – Carol Tome,
Senior Vice President – Finance – Richard McPhail,
And Vice President - Corporate Communications and External Affairs – Brad Shaw.
Problem Statement Because of the data security breach, Home Depot faces a huge loss in revenue, drop in share value, reduced consumer confidence, and damage to corporate brand and company reputation.
Identify Alternatives
A1) Increase the data security of Home Depot by implementing cybersecurity czar
A2) Have a preliminary strategy ready for inevitable data breach
A3) Increase consumer data security literacy with an emphasize on creating smarter consumers
A4) Boost P.R. activities to manage company reputation
A5) Develop high security credit card specific to Home Depot
Analysis of Alternatives
An analysis of each alternative was carried out In order to determine the best alternative that could provide the optimum solution for the issues faced by Home Depot. Each alternative was analyzed to determine Strengths, Weaknesses, Opportunities, and Threats.
Alternative One
Alternative one involves creating a department that will focus on increasing the data security of Home Depot. The primary focus of this department will include; stopping intrusion from targeted attacks, identifying threats by comparing real-time alerts with worldwide environment. This department would also be responsible for accurately identifying and proactively protecting customers’ sensitive information wherever it is stored. The department would also be in charge of having a breach prevention and response plan that is integrated into the daily operations. However, in the event that an intrusion occurs, the department will be responsible to prevent data breach by using network software set up by the department to detect and block the exfiltration of confidential data.
This would involve researching several network software to identify that which best fits Home Depot. Not only does Home Depot have to research several software, they would also be required to research where to store such critical information and hire the best cybersecurity personnel.
The strengths of this alternative include the fact that; Home Depot is well funded to implement cybersecurity czar department that would be responsible in increasing its data security. It also well-funded in upgrading its current security system. The weakness is that Home Depot currently lack a specialized team dedicated to data breach.
Not having a specialized data breach department poses a huge threat as this will result in loss of customer confidence in the company’s security system. There is also the threat of reputational damage and the wrath from legislators, regulators, and the public. The cost involved in setting up such department can be huge.
This particular incident provides an opportunity for Home Depot to upgrade and modify its existing controls. It’s also an opportunity for the company to conduct a thorough risk analysis while marketing for new technology that might be of benefit to its customers as well as the customers. Knowing that Home Depot will go to any length to protect its customers’, protecting their critical data will boost customer’s morale so they remain loyal to Home Depot and also attract new customers which would increase the Home Depot’s market share.
Alternative Two Having a preliminary strategy in place involves preparing accordingly, getting the word out, accepting responsibility, being open, honest and transparent, and accurate and fast. Furthermore, it includes persons and methods with lists and avenues required to execute all communications that might be needed. In the event that a breach occurs, Home Depot should reiterate that the privacy of their customers and personal information is of the highest importance to them, and every effort is made to ensure that their information is secure and safe.
By communicating early, accepting responsibility, and delivering on promised updates, Home Depot reduces the chances of the media making more out of it and other retailers taking advantage of the breach. This overall, is a huge strength for alternative two.
The weakness of this alternative is not being certain about all the facts. Changing its story about the breach, might leave its customers confused about the extent of the damage and who is at risk.
The threat of alternative two is that Home Depot becomes vulnerable to its competitors. There is also the threat of a decline in its market share.
The opportunity of alternative two is the assurance made to customers which will result in loyal customers staying back and the birth of new customers.
Alternative Three
One of the core competencies of Home Depot is the DIY – Do it Yourself training made available to all Home Depot customers. Home Depot can extend its power of DIY by increasing consumer data literacy. By training customers not only in the company products but also providing training on how to protect their credit cards and data. In doing this, Home Depot is alleviating the issues of technological imbalance among its customers as well as employees. Using graphics to convey such powerful messages filled with impenetrable data is one way that Home Depot can train its customers in becoming smarter. This will enable Home Depot help their customers understand the facts of a situation especially when it comes to data breach.
The strength of alternative three is that the disconnect between Home Depot and the consumers due to the breach will be dissolved as consumers are given the opportunity to better understand the situation at hand. This will boost customer confidence in Home Depot.
Although, this will not generate revenue for Home Depot which is a weakness, but good content marketing for Home Depot which is a huge opportunity as more customers will be attracted to Home Depot. The threat of alternative three, is the transfer of knowledge to competitors.
Alternative Four
Alternative four is boosting PR activities by going beyond traditional PR to rebuild company reputation. This means leveraging credible third parties through blogs, bumper stickers, and interactive website to boost the reputation of the company. Other means of communication channels such as free and paid media, charitable contributions, and partnership to spread positive messages about its activities are ways Home Depot can boost its reputation. There is also the idea of activating a network of affiliated and non-affiliated influencers.
The strength of alternative four is that Home Depot get to save on cost as messages are communicated through high-trust channels to its consumers at close to no cost.
Not only is the message delivered through a high-trust channel, Home Depot will be able to develop relationships with broad set of stakeholders as well as reduce the risk of further reputational damage.
The weakness is that consumers may not pay much attention to interactive website and so miss out on the important detail that needs to be sent out. It may also lack the in-depth reporting required for a balanced view of any message that need be conveyed to consumers. The company might also pay some cost as a new agent might be hired to run the interactive website. The threat of alternative four is that interactive website tend to appear as war rooms where competitors leave negative remarks.
The opportunity of alternative four is that most Home Depot customers have access to the internet and to real time data. This also gives Home Depot the opportunity to respond back to negative remark leaving none unanswered. Also, people with star power have the opportunity to speak up for Home Depot creating a more visual support for Home Depot.
Alternative
Five
The fifth alternative is to develop high security credit card for Home Depot customers. These credit cards rather than having the regular magnetic stripe containing customer’s information, will come with tiny microprocessor chips that encrypt personal data shared with sales terminals used by general merchants. This new card should be activated using card owners thumb print which would also serve as the PIN at the point of sale to verify identity.
The strength associated with the high security card is the provision of a much better protection of Home Depot consumer information. When critical information are protected, then it becomes harder for a breach to occur and even when a breach occurs, there are no information to steal.
The weakness of alternative five is the cost involved in developing such high security credit cards. The time aspect is also a weakness as this would take longer than anticipated so as to ensure everything is done right.
The opportunity is that Home Depot will retain its customers and appeal to more. This will help build back its reputation.
The threat is that the longer it takes to develop, the more customers they are bound to lose to its competitors resulting in decline in sales revenue.
Recommendation
In order for Home Depot to continue to retain its position as the number one largest home improvement retailer in the U.S., alternative number one, reducing the risk of data breach by implementing a cybersecurity czar is highly recommended. Being number one means the company have good name branding, offer exceptional products and services to its customers. As a result, more consumers seek Home Depot. This means the company house huge critical information such as customer data, trade secrets, intellectual property, and corporate data therefore, the risk of a data breach is now higher than ever before.
Known for its good customer service, Home Depot consumers have enjoyed several years of high quality products and services from well-trained staff at a low cost. However, the recent data breach is not contributing positively to the future of the company.
Implementation
In order to effectively implement the suggested alternative, the following steps for the implementation are suggested;
Step 1 – Reevaluate current security policies.
Step 2 – Understand the existing data
Step 3 – Identify security holes from inside the company itself. It is a well-known fact that company employees, vendors, and even suppliers to vendors tend to leak data, provide unauthorized access, or engage in risky behaviors that might compromise the company whether or not they intend to.
Step 4 – Identify all connections to Home Depot networks. Home Depot data security breach occurred as a result of criminals using a third party vendor name and password to penetrate its network.
Step 5 – Disconnect unnecessary connections to the network that are not necessary.
Step 6 – Conduct a market research to find out what other companies are doing to reduce the risk of data breach, what setup they have in place, and the cost involved in setting up a cybersecurity czar.
Step 7 – Prepare and plan. This involves identifying readily available resources such as capital and human resources.
Step 8 – Hire employees or set up a team and appoint lead personnel
Step 9 – Clearly define roles, responsibilities, and system administrators and identify cyber security requirements. Step 10– Design, acquire or upgrade to new system security.
Step 11 – Transform
Step 12 – Engage in security awareness training and communication
Step 13 - Document network design
Step 14 – Engage in strategy continuous improvement by constantly expanding knowledge of threats and vulnerabilities.
Step 15 - Assess
Evaluation
The department will be evaluated daily by executing the following test;
The inability of the system to be susceptible to any malwares both internally and externally.
In the event a hacker incursion is successful, the ability of the department to prevent data breach by using readily available network software to detect and block the exfiltration of confidential data.
The number of suspicious network activities flagged.
Generalization
In today’s connected world, companies are required to embrace every means possible to increase their cybersecurity so as to prevent data breach and reduce the associated impact of security incidents. In the event that a breach occurs, companies are faced with losing customers to competitors which will result in decrease in revenue due to low sale. Not only does sales go down, but most companies are faced with tangible cost such as cost to recover lost trust from businesses or customers and corporate reputation.
In order to avoid these, companies such as Target and JP Morgan would greatly be at advantage by implementing a cybersecurity czar. This department will focus mainly on stopping intrusion from targeted attacks, identifying threats by comparing real-time alerts with worldwide environment. It would also be responsible for accurately identifying and proactively protecting customers’ sensitive information wherever it is kept, dispatched, and used.
References
Lawrence, D. (2014). Hack-Resistant Credit Cards Bring More Safety – at a Price. Retrieved from http://www.businessweek.com/articles/2014-02-14/hack-resistant-credit-cards-bring-greater-security-at-a-big-price
Montini, L. (2014). Making Customers Smarter Is Just Good Business. Retrieved from http://www.inc.com/laura-montini/infogram-why-you-should-make-your-customers-smarter.html www.corporate.homedepot.com. (n.d.). Retrieved from https://corporate.homedepot.com/ourcompany/history/pages/default.aspx www.abcnews.go.com. Retrieved from http://abcnews.go.com/Business/video/60-million-people-affected-home-depot-information-breach-25381664
Home Depot Security Breach
Prepared By
ADAEZE ‘DAISY’ OCHIEZE
PRESENTED TO
Dr. C. Harben
MBA 6090
Strategy Design and Implementation
FALL 2014
Contents
Introduction 3
Decision Makers 4
Problem Statement 4
Identify Alternatives 4
Analysis of Alternatives 5
Alternative One 5
Alternative Two 6
Alternative Three 7
Alternative Four 7
Alternative Five 8
Recommendation 9
Implementation 9
Evaluation 10
Generalization 11
References 12
Introduction
Founded in 1978 by Bernie Marcus, Arthur Blank, Ron Brill, and Pat Farrah, the Home Depot is an American retailer of home improvement and construction products and services. From the beginning, Home Depot associates have been known to offer the best …show more content…
customer service hence their philosophy – “whatever it takes” meaning to cultivate a relationship with the customers rather than merely processing a transaction. With headquarters in Georgia, Atlanta, Home Depot transformed the home improvement industry by guiding and training customers through home projects such as handling power tools, painting, and changing floor tiles.
In the 1980s and 1990s, Home Depot experienced significant growth with 1989 marking the celebration of its 100th store opening.
In 1994, Home Depot debut in Canada acquiring Aikenhead’s home improvement center. In 2001, Home Depot made its second international entrance in Mexico where it acquired Total Home. In 2006, Home Depot extended its reach in Asia and acquired China, Home Way, a 12 chain store.
Home Depot’s strategy includes being in alliance directly with industry leading manufacturers such as BEHR paint, LG appliances, and Ryobi tools etc. Its values include taking care of “our” people, giving back to the communities, doing the right thing, creating shareholder value, building strong relationships, and respect for all people.
Mid-September, 2014, Home Depot confirmed a huge security theft that compromised around 56 million credit/debit cards from back in April, 2014. According to Home Depot, criminals used a third party vendor’s user name and password to enter the perimeter of its network which allowed the hackers elevated rights to navigate portions of Home Depot’s network. As a result, separate files containing email addresses, passwords and payment card data were compromised. Home Depot also confirmed that the malware used to achieve this has not be seen prior to this attack and was designed to evade detection of antivirus …show more content…
software.
Home Depot with the law enforcement is currently investigating this breach while looking into several alternatives to further enhance its security measures ongoing.
Decision Makers
The internal decision makers include top executives such as; Chairman and CEO – Frank Blake,
Executive Vice President and Chief Information Officer – Matt Carey,
President, U.S Retail – Craig Menear,
Executive Vice President – Corporate Services & Chief Financial Officer – Carol Tome,
Senior Vice President – Finance – Richard McPhail,
And Vice President - Corporate Communications and External Affairs – Brad Shaw.
Problem Statement Because of the data security breach, Home Depot faces a huge loss in revenue, drop in share value, reduced consumer confidence, and damage to corporate brand and company reputation.
Identify Alternatives
A1) Increase the data security of Home Depot by implementing cybersecurity czar
A2) Have a preliminary strategy ready for inevitable data breach
A3) Increase consumer data security literacy with an emphasize on creating smarter consumers
A4) Boost P.R. activities to manage company reputation
A5) Develop high security credit card specific to Home Depot
Analysis of Alternatives
An analysis of each alternative was carried out In order to determine the best alternative that could provide the optimum solution for the issues faced by Home Depot. Each alternative was analyzed to determine Strengths, Weaknesses, Opportunities, and Threats.
Alternative One
Alternative one involves creating a department that will focus on increasing the data security of Home Depot. The primary focus of this department will include; stopping intrusion from targeted attacks, identifying threats by comparing real-time alerts with worldwide environment. This department would also be responsible for accurately identifying and proactively protecting customers’ sensitive information wherever it is stored. The department would also be in charge of having a breach prevention and response plan that is integrated into the daily operations. However, in the event that an intrusion occurs, the department will be responsible to prevent data breach by using network software set up by the department to detect and block the exfiltration of confidential data.
This would involve researching several network software to identify that which best fits Home Depot. Not only does Home Depot have to research several software, they would also be required to research where to store such critical information and hire the best cybersecurity personnel.
The strengths of this alternative include the fact that; Home Depot is well funded to implement cybersecurity czar department that would be responsible in increasing its data security. It also well-funded in upgrading its current security system. The weakness is that Home Depot currently lack a specialized team dedicated to data breach.
Not having a specialized data breach department poses a huge threat as this will result in loss of customer confidence in the company’s security system. There is also the threat of reputational damage and the wrath from legislators, regulators, and the public. The cost involved in setting up such department can be huge.
This particular incident provides an opportunity for Home Depot to upgrade and modify its existing controls. It’s also an opportunity for the company to conduct a thorough risk analysis while marketing for new technology that might be of benefit to its customers as well as the customers. Knowing that Home Depot will go to any length to protect its customers’, protecting their critical data will boost customer’s morale so they remain loyal to Home Depot and also attract new customers which would increase the Home Depot’s market share.
Alternative Two Having a preliminary strategy in place involves preparing accordingly, getting the word out, accepting responsibility, being open, honest and transparent, and accurate and fast. Furthermore, it includes persons and methods with lists and avenues required to execute all communications that might be needed. In the event that a breach occurs, Home Depot should reiterate that the privacy of their customers and personal information is of the highest importance to them, and every effort is made to ensure that their information is secure and safe.
By communicating early, accepting responsibility, and delivering on promised updates, Home Depot reduces the chances of the media making more out of it and other retailers taking advantage of the breach. This overall, is a huge strength for alternative two.
The weakness of this alternative is not being certain about all the facts. Changing its story about the breach, might leave its customers confused about the extent of the damage and who is at risk.
The threat of alternative two is that Home Depot becomes vulnerable to its competitors. There is also the threat of a decline in its market share.
The opportunity of alternative two is the assurance made to customers which will result in loyal customers staying back and the birth of new customers.
Alternative Three
One of the core competencies of Home Depot is the DIY – Do it Yourself training made available to all Home Depot customers. Home Depot can extend its power of DIY by increasing consumer data literacy. By training customers not only in the company products but also providing training on how to protect their credit cards and data. In doing this, Home Depot is alleviating the issues of technological imbalance among its customers as well as employees. Using graphics to convey such powerful messages filled with impenetrable data is one way that Home Depot can train its customers in becoming smarter. This will enable Home Depot help their customers understand the facts of a situation especially when it comes to data breach.
The strength of alternative three is that the disconnect between Home Depot and the consumers due to the breach will be dissolved as consumers are given the opportunity to better understand the situation at hand. This will boost customer confidence in Home Depot.
Although, this will not generate revenue for Home Depot which is a weakness, but good content marketing for Home Depot which is a huge opportunity as more customers will be attracted to Home Depot. The threat of alternative three, is the transfer of knowledge to competitors.
Alternative Four
Alternative four is boosting PR activities by going beyond traditional PR to rebuild company reputation. This means leveraging credible third parties through blogs, bumper stickers, and interactive website to boost the reputation of the company. Other means of communication channels such as free and paid media, charitable contributions, and partnership to spread positive messages about its activities are ways Home Depot can boost its reputation. There is also the idea of activating a network of affiliated and non-affiliated influencers.
The strength of alternative four is that Home Depot get to save on cost as messages are communicated through high-trust channels to its consumers at close to no cost.
Not only is the message delivered through a high-trust channel, Home Depot will be able to develop relationships with broad set of stakeholders as well as reduce the risk of further reputational damage.
The weakness is that consumers may not pay much attention to interactive website and so miss out on the important detail that needs to be sent out. It may also lack the in-depth reporting required for a balanced view of any message that need be conveyed to consumers. The company might also pay some cost as a new agent might be hired to run the interactive website. The threat of alternative four is that interactive website tend to appear as war rooms where competitors leave negative remarks.
The opportunity of alternative four is that most Home Depot customers have access to the internet and to real time data. This also gives Home Depot the opportunity to respond back to negative remark leaving none unanswered. Also, people with star power have the opportunity to speak up for Home Depot creating a more visual support for Home Depot.
Alternative
Five
The fifth alternative is to develop high security credit card for Home Depot customers. These credit cards rather than having the regular magnetic stripe containing customer’s information, will come with tiny microprocessor chips that encrypt personal data shared with sales terminals used by general merchants. This new card should be activated using card owners thumb print which would also serve as the PIN at the point of sale to verify identity.
The strength associated with the high security card is the provision of a much better protection of Home Depot consumer information. When critical information are protected, then it becomes harder for a breach to occur and even when a breach occurs, there are no information to steal.
The weakness of alternative five is the cost involved in developing such high security credit cards. The time aspect is also a weakness as this would take longer than anticipated so as to ensure everything is done right.
The opportunity is that Home Depot will retain its customers and appeal to more. This will help build back its reputation.
The threat is that the longer it takes to develop, the more customers they are bound to lose to its competitors resulting in decline in sales revenue.
Recommendation
In order for Home Depot to continue to retain its position as the number one largest home improvement retailer in the U.S., alternative number one, reducing the risk of data breach by implementing a cybersecurity czar is highly recommended. Being number one means the company have good name branding, offer exceptional products and services to its customers. As a result, more consumers seek Home Depot. This means the company house huge critical information such as customer data, trade secrets, intellectual property, and corporate data therefore, the risk of a data breach is now higher than ever before.
Known for its good customer service, Home Depot consumers have enjoyed several years of high quality products and services from well-trained staff at a low cost. However, the recent data breach is not contributing positively to the future of the company.
Implementation
In order to effectively implement the suggested alternative, the following steps for the implementation are suggested;
Step 1 – Reevaluate current security policies.
Step 2 – Understand the existing data
Step 3 – Identify security holes from inside the company itself. It is a well-known fact that company employees, vendors, and even suppliers to vendors tend to leak data, provide unauthorized access, or engage in risky behaviors that might compromise the company whether or not they intend to.
Step 4 – Identify all connections to Home Depot networks. Home Depot data security breach occurred as a result of criminals using a third party vendor name and password to penetrate its network.
Step 5 – Disconnect unnecessary connections to the network that are not necessary.
Step 6 – Conduct a market research to find out what other companies are doing to reduce the risk of data breach, what setup they have in place, and the cost involved in setting up a cybersecurity czar.
Step 7 – Prepare and plan. This involves identifying readily available resources such as capital and human resources.
Step 8 – Hire employees or set up a team and appoint lead personnel
Step 9 – Clearly define roles, responsibilities, and system administrators and identify cyber security requirements. Step 10– Design, acquire or upgrade to new system security.
Step 11 – Transform
Step 12 – Engage in security awareness training and communication
Step 13 - Document network design
Step 14 – Engage in strategy continuous improvement by constantly expanding knowledge of threats and vulnerabilities.
Step 15 - Assess
Evaluation
The department will be evaluated daily by executing the following test;
The inability of the system to be susceptible to any malwares both internally and externally.
In the event a hacker incursion is successful, the ability of the department to prevent data breach by using readily available network software to detect and block the exfiltration of confidential data.
The number of suspicious network activities flagged.
Generalization
In today’s connected world, companies are required to embrace every means possible to increase their cybersecurity so as to prevent data breach and reduce the associated impact of security incidents. In the event that a breach occurs, companies are faced with losing customers to competitors which will result in decrease in revenue due to low sale. Not only does sales go down, but most companies are faced with tangible cost such as cost to recover lost trust from businesses or customers and corporate reputation.
In order to avoid these, companies such as Target and JP Morgan would greatly be at advantage by implementing a cybersecurity czar. This department will focus mainly on stopping intrusion from targeted attacks, identifying threats by comparing real-time alerts with worldwide environment. It would also be responsible for accurately identifying and proactively protecting customers’ sensitive information wherever it is kept, dispatched, and used.
References
Lawrence, D. (2014). Hack-Resistant Credit Cards Bring More Safety – at a Price. Retrieved from http://www.businessweek.com/articles/2014-02-14/hack-resistant-credit-cards-bring-greater-security-at-a-big-price
Montini, L. (2014). Making Customers Smarter Is Just Good Business. Retrieved from http://www.inc.com/laura-montini/infogram-why-you-should-make-your-customers-smarter.html www.corporate.homedepot.com. (n.d.). Retrieved from https://corporate.homedepot.com/ourcompany/history/pages/default.aspx www.abcnews.go.com. Retrieved from http://abcnews.go.com/Business/video/60-million-people-affected-home-depot-information-breach-25381664