According to security reporter and blogger Brian Krebs, the Home Depot hack-resulting in the compromise of more than 50 million credit and debit card numbers-may have affected most of its store locations. Home Depot joined a lengthy list of hacked merchants and service providers that includes Neiman Marcus, Sony, Target, Sally Beauty Supply, Staples, P.F. Chang's. Once credit and debit card numbers have been stolen from a hacked victim, three processes are set in motion.
The first is the monetization of the card numbers by thieves. The numbers may be bundled, sold in online market places, and fraudulently charged. The money may be used to fund other fraudulent activities. Reshipping fraud, for example, is a fencing operation that involves receiving and re-mailing merchandise. The goods themselves and the shipping labels used to mail them are purchased using stolen numbers. These scams may be advertised on Craigslist promising lucrative work-from-home employment opportunities.
The second is an attempt to recover losses by the credit card companies. In cases of credit card fraud, the ultimate burden will often be shouldered by the merchants. These losses take two forms: punitive fines for failing to be PCI compliant and assessments to cover fraudulent charges and card replacement. The former are relatively small (rarely exceeding $100,000) and the cards themselves cost about $2.50 to replace, but assessments can be enormous and difficult to estimate. For comparison, the Home Depot hackers stole 56 million credit and debit card numbers. It takes time for stolen cards to make their way through black markets and be charged, and the full amount that a merchant is liable for can take years to determine. A large credit card data breach can put an ill-prepared company out of business. Many companies have some form of crime insurance to protect themselves from such losses.
The third is the hacked company's efforts to shield itself from legal action. This can include hiring outside legal counsel, a public relations firm, and a data breach coach to coordinate the response. In certain situations and where not otherwise required by law, legal counsel may recommend making the breach public by notifying the relevant states' attorney generals and the affected customers. While breach notification can be undertaken by the hacked company, it is often completed by companies that specialized in this type of notification. Some breach notification companies may provide a call center that can respond to customers' questions. The hacked company may also make credit monitoring available. Finally, the company will begin investigating the causes of the breach. The investigation may be conducted by legal counsel to ensure that anything discovered, whether or not it is related to the breach, is protected by attorney-client privilege. A cyber insurance policy typically covers hiring outside expertise, forensics, and breach response with the goal of minimizing class-action losses.
Card owners need to review their statement carefully because scammers may sneak in periodic, small charges. They should never click hyperlinks in emails that appear to be from their bank correspond to unsolicited phone calls. When they need to speak to their credit card company, they should call the number on the back of their card. One of my colleagues received a call from criminals who already had his card number and pretended to be the card issuer. For consumers, the cost of using their credit cards is vigilance-and that is something to think about when doing your holiday shopping.