Home Depot, which calls itself “the world’s largest home improvement retailer,” can add a new distinction. It is now the scene of the world’s largest known theft of consumer credit card information. A cyberattack has put at risk the data of about 56 million customers between April and September. This exceeds the approximately 40 million credit accounts breached at Target stores, the previous all-time high.
In the same week that Home Depot revealed the loss, the Senate Armed Services Committee reported on a yearlong investigation that found Chinese hackers penetrated computer systems run by contractors for the U.S. military agency responsible for the transport of troops and material on at least 20 occasions. It’s not clear what the hackers were looking for, but keep in mind that private airlines provide more than 90 percent of the Pentagon’s passenger movement capability and more than a third of its bulk-cargo capability, according to the panel. This is the kind of computer network that the military would not like to share with a potential adversary. And the U.S. Transportation Command knew of only two of the intrusions.
What these events show once again is that the United States is under siege in cyberspace. Disruption, theft, espionage and attack have been accelerating in recent years. The crisis of security on the Internet is real and deepening. The vulnerabilities threaten everyone who holds a credit card, visits a doctor or uses social media. Yet the national response has been alarmingly and inexplicably passive. Congress has debated comprehensive legislation but failed to reach agreement. The administration is well aware of the siege and has taken some modest steps, but it can’t solve the problem alone. The private sector, deeply dependent on the Internet, is seriously exposed but also cannot find a solution.
The Home Depot and Target attacks were carried out through malware planted on the card-reader machines that customers use to check out. Brian Krebs, the computer security expert who broke the story of the breach, said that most of the thefts apparently occurred in self-checkout machines. As customers swiped their credit cards, buying light bulbs or toilet repair kits or some other Saturday fix-it product, their information was siphoned off the magnetic strip and off the card reader by thieves. A transition to a more secure chip-and-PIN card system is well underway but not fast enough to protect 56 million Home Depot customers.
Surely, if customers saw a pickpocket standing behind them, they would be wary — and furious. But there is a strange complacency about massive data breaches. As a society that has championed capitalism, pioneered the digital revolution and thrived on an Internet based on trust, Americans should be far less tolerant of this abuse. The thieves, spies and warriors in cyberspace need to be defeated, and it is long past time to get started figuring out how.