ProductsLogo
LogoStudy Documents
LogoAI Grader
LogoAI Answer
LogoAI Code Checker
LogoPlagiarism Checker
LogoAI Paraphraser
LogoAI Quiz
LogoAI Detector
PricingBlogAbout Us
logo

IT Security Management: The Home Depot Data Breach

Verified

Added on  2022/12/23

|14
|4702
|91
AI Summary
This report analyzes the case study of Home Depot data breach, including the possibilities of the breach, its impact, and provides relevant solutions. It also discusses the information security framework for this particular case study.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
Running head: IT SECURITY MANAGEMENT
IT Security Management: The Home Depot Data Breach
Name of the Student
Name of the University
Author’s Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
1
IT SECURITY MANAGEMENT
Table of Contents
Part 1: Case Study Analysis.......................................................................................................2
1. Introduction........................................................................................................................3
2. Possibilities of the Security Breach....................................................................................3
3. Impact of the Breach..........................................................................................................4
4. Solutions or Patches...........................................................................................................5
5. Policies...............................................................................................................................6
6. Information Security Framework.......................................................................................6
7. Conclusion..........................................................................................................................7
Part 2: Computer based Fraud....................................................................................................8
1. Introduction........................................................................................................................8
2. Computer Fraud: Types and Impact on Organization........................................................8
3. Evidence of Involvement of IT Employees.......................................................................9
4. Few Possible Mechanisms for avoiding Fraud..................................................................9
5. Conclusion........................................................................................................................10
References................................................................................................................................11
Document Page
2
IT SECURITY MANAGEMENT
Part 1: Case Study Analysis
Abstract
The objective of this report is to analyse the case study of Home Depot data breach. Data
breaches can be both accidental and intentional. A cybercriminal is responsible for hacking
the specific organizational database, in which personal information is being shared. An
employee in any particular organization accidentally exposes the information on the Internet
and hence criminals get opportunity for accessing every vital personal detail from them. Most
of the data breaches eventually involve vulnerable as well as overexposed unstructured data
such as sensitive information and documents. Most of the rules and regulations have passed
data breach notification laws and have required an organization to check whether data
breaches are threatening for the customers or not. Home Depot has faced major issues related
to the hacking of their POS systems. This report has identified the possibilities of the breach,
impact of the breach and provided relevant solutions to these data breaches.
Document Page
3
IT SECURITY MANAGEMENT
1. Introduction
A data breach can be referred to as an incident, which exposes protected and sensitive
information. It even involves subsequent theft or loss of the social security number, personal
health data, emails, passwords and bank account details (Jaferian et al., 2014). A data breach
occurs through insider and privilege misuses or physical loss or theft. Denial of services is the
second significant and distinct type of data breach. The following report outlines a brief
discussion of the case study of Home Depot Data Breach. Details related to possibilities of
the security breach, impact of the breach, solutions, relevant policies and suitable information
security framework for this particular case study will be provided in the report.
2. Possibilities of the Security Breach
On 8th September, 2014, the POS systems of Home Depot were being compromised
by several exploitation methods and the utilization of stolen third party vendor credentials
and RAM scraping malware were highly instrumental for making the data breach successful.
The confidential information of the payment cards were sold online by the cyber attackers
(Boyle & Panko, 2014). The very first step in this process is to sell the payment card to
brokers, which is further sold to carders on certain phishing websites. There were almost 56
million payment cards stolen from the Home Depot data breach. The major possibilities of
this particular security breach include involving memory scraping malware. This malware has
the core capability of reading the contents of RAM on any POS terminal, as soon as the
payment card data was present in clearer texts.
The major weakness of the organization of Home Depot that allowed this threat to
occur was that the respective POS systems were not properly locked down and as a result, the
memory scraping malware had the capability of stealing such information (Hänsch &
Benenson, 2014). The attacker had infiltrated the networks of POS and then implemented the
process to steal the data of payment cards. The attackers, hence had the ability of obtaining
access of the vendor environments with login credentials. As soon as they got into the
network of Home Depot, they started to install the memory scraping malware for more than
7500 self checkout terminals of POS and then grabbed 56 million debit and credit cards.
Home Depot did not consider and took necessary steps for protecting their point of sale
systems and hence the attackers got the opportunities to implement such vulnerabilities and
steal payment card information (Angst et al., 2017). Network segregation is yet another
important weakness of this organization.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4
IT SECURITY MANAGEMENT
Moreover, in spite of having SEP or Symantec Endpoint Protection installed within
their environment, Home Depot had missed out an important feature to get turned on the
product, known as Network Threat Protection (Fennelly, 2016). This particular feature is
responsible for acting as a host intrusion prevention system and having configured the POS
devices with the feature, remaining activated, it was vital for them to attest to the success of
the feature, while completing vulnerability assessments on the systems. The operating system
of Home Depot was not secured on the POS devices and thus Windows XP Embedded SP3
was unsecured (Elmaghraby & Losavio, 2014). Another distinctive weakness of this
organization was that they missed utilization of P2P or point to point encryption and thus
payment data was not secured from the attacks.
3. Impact of the Breach
The impact of the breach on the POS systems of Home Depot has been extremely
high and vulnerable. There had been numerous negative impacts of the data breach and these
are described in the following paragraphs:
i) Risk of Identity Theft: The first and the foremost significant negative impact of
such distinctive security breach was that the confidential data of the customers’ payment
cards like credit and debit cards was being completely lost (Siponen, Mahmood & Pahnila,
2014). Due to the loss of financial data and information, the customers of Home Depot were
left open to the subsequent risk of identity theft. A high risk is present that targets the cyber
criminals for attempting to compromise with data security. The possibility of such risks or
security breaches has increased to around 66% for all types of organizations.
ii) Compromising Customers’ Data: The second important and noteworthy negative
impact of security breach is compromising the confidential data of their customers. Since, the
payment card details of the customers were stolen by the attackers by getting into the
respective POS networks, it is evident that the data breach has a major impact on the
customers and Home Depot had the chance of losing maximum of their customers in the
process (Rubóczki & Rajnai, 2015). Moreover, there even existed a high chance that the bank
account details of the customers would also been stolen by the attackers, since credit and
debit cards are directly linked with the bank accounts.
iii) Risk of the Employees’ Data: Another distinctive and significant negative impact
of security breach of Home Depot would be risk of the employers’ data. Since the POS
networks were breached by the attackers, the employees’ data were also at risk (Maglaras et
Document Page
5
IT SECURITY MANAGEMENT
al., 2018). There was a major impact on employees’ data as they have used social engineering
as one of the major impacts on data security on the company and then gaining unauthorized
accessibility to the classified information. The CIA or confidentiality, integrity and
availability of the data were at stake, since for completing payments of the customers, it is
required to link bank account details with the customers’ payments cards (Van Tilborg &
Jajodia, 2014). Security processes and procedures were not stringent in Home Depot for the
information of both employees and customers.
iv) Missing Secure Configuration: Home Depot has missed out secure configuration.
They did not use P2P encryption for their data. It eventually allowed payment card data for
being encrypted at the point of swipe as well as allowing the data to be encrypted in memory
(Shoven & Slavov, 2014). Since, Home Depot did not have the required hardware for using
the technology, the confidential data was lost. The major reason for such discrepancy was
that they did not upgrade to the operating system of POS devices within their organization.
4. Solutions or Patches
The above mentioned impacts are extremely vulnerable and destructing for the
organization of Home Depot and have resulted in losing confidential data of the payment card
details eventually. However, there are some of the most significant and important solutions or
patches to these issues or impacts that can reduce the impact and provide better accessibility
and effectiveness in the respective organization (Safa, Von Solms & Furnell, 2016). The
major solutions and patches of these impacts are as follows:
i) Involving Point to Point Encryption: This is the first and the foremost solution to
the data breach that has been occurred within Home Depot. They should have involved P2P
or point to point encryption methodology for the existing POS devices, so that it becomes
much easier for the organization to obtain high safety and security from any type of data
breach. According to Soomro, Shah and Ahmed (2016), the security of the data for debit and
credit cards should have been on top priority and even after attackers infiltrating the
respective POS systems and installing memory scraping malware on the registers, it is highly
recommended for this organization to implement P2P encryption in their business for
successfully preventing the attackers from stealing the debit or credit cards. It would have
provided encryption at the point of swiping the card and 4 digit PIN code that should be
entered. Due to encryption algorithm, it becomes almost impossible to detect the pin and
hence data is completely safe and secured (Goldstein & Frank, 2016).
Document Page
6
IT SECURITY MANAGEMENT
ii) Involving Network Segregation: This is the second distinctive factor that was
missed by Home Depot. The respective protection of parameter is considered as one of the
most important components for successful prevention of larger retail breaches, which has
taken place and is even termed as extremely critical while deploying the approach of defence
in depth. Arachchilage and Love (2014) stated that, they should have properly segregated the
POS network from the remaining corporate network and the utilization of private virtual local
area network is required for such situations.
iii) Management of Third Party Vendor Credentials: Another important and vital
solution to resolve the impact of data breach in Home Depot is successful management of the
third party vendor credentials (Mukundan & Sai, 2014). Various attackers had the ability to
obtain accessibility to a vendor specified environment that was being utilized by retailers and
had the ability of pivoting to every corporate network. It eventually demonstrated the
significance to have adequate control in place and thus Home Depot would had been
benefitted and secured from the breach.
5. Policies
The organization of Home Depot should implement few policies for the security
breaches, so that they are able to deal with complexities and vulnerabilities to a high level.
The first and the most important policy that is to be considered by them is data security
policy (Safa, Von Solms & Furnell, 2016). With this particular policy, they would be able to
deal with financial data, PII information, restricted and sensitive information related to
customers and employees. Any kind of unauthorized and unauthenticated user would not be
able to access the data under any circumstance. Thus, information security would be
maintained and ensuring that the scope of data is being printed effectively. A secured
password should also be utilized and thus implementing a password policy for the
organization. Data leakage prevention policy is the next significant and vital policy that
would be extremely effective for the organization of Home Depot (Rubóczki & Rajnai,
2015). This particular policy is being designed for making the users aware of the restricted
and sensitive data that they are transferring to the other locations. For this case study, the
information that is to be maintained is payment card details.
6. Information Security Framework
There are some of the most effective and efficient IT security frameworks and
standards that are required for helping the confidential data to remain safe and secured. This

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
7
IT SECURITY MANAGEMENT
type of framework is the series of few documented procedures that are being utilized for
defining policies and procedures around the subsequent ongoing and implementation
management of every information security control within the environment of enterprise
(Elmaghraby & Losavio, 2014). The first significant IS framework is COBIT that helps to
reduce all types of technical risks in the company, however has evolved recently with the new
version for including alignment of IT with every business strategic objective. The second
distinctive framework would be ISO 27000 series that is effective for the certification process
and is applicable to each and every type or size of company. It is even considered as the
information security equivalent of ISO 9000 quality standards and helps in information
security (Siponen, Mahmood & Pahnila, 2014).
NIST is the third distinctive IS framework that helps in any type of cyber-attack,
occurring in the supply chain and providing the business with new business related
opportunities. Amongst the above mentioned information security frameworks, the most
suitable and effective would be NIST framework for Home Depot. Since, the POS networks
of this particular organization were being attacked and breached, it is evident that the
intellectual properties were affected in this process (Soomro, Shah & Ahmed, 2016).
However, with the successful implementation of NIST framework, the controlled unclassified
information would had been protected and information system would had been aligned
properly in terms of compliance. The sensitive information such as social security data or
credit card data are well protected with this particular framework.
7. Conclusion
Therefore, conclusion could be drawn that data breaches are the unintentional and
intentional release of confidential or secured information or data to any untrusted
environment. Information leakage is the most common name of such data breach. It is a
security incident, where confidential, protected and sensitive information is stolen,
transmitted, copied, utilized and viewed by an unauthorized and unauthenticated user or
attacker. The point of sale systems of Home Depot have been compromised by exploitation
methods. This above provided case study analysis has clearly described about major
possibilities of the security breach, with relevant solutions and relevant information security
framework.
Document Page
8
IT SECURITY MANAGEMENT
Part 2: Computer based Fraud
1. Introduction
Computer fraud can be referred to as the activity of utilizing a system for altering or
taking electronic data and even gaining unlawful utilization of a system and computer. Such
fraud eventually criminalizes computer related activities under federal jurisdictions (Vahdati
& Yasini, 2015). There are various types of computer fraud, which include distribution of
hoax emails, accessing unauthorized or unauthenticated computer systems, engagement in
data mining through malware or spyware, hacking into the computer systems for illegal
accessibility of personal information like credit card details and sending worms for ruining
and destroying system or computer of other party.
2. Computer Fraud: Types and Impact on Organization
There are some of the most distinctive and noteworthy types of computer fraud, which
comprise of significant impacts on the respective organization. The major types of computer
fraud are as follows:
i) Distributing Hoax Emails: With this type of computer fraud, the hacker distributes
hoax emails to the victims and the victims get no idea regarding the legitimacy. According to
Button et al. (2014), there is a huge impact of these emails on organizations, since, as soon as
the emails are opened, confidential data of the systems and users are being stolen and could
not be recovered under any circumstance.
ii) Accessing Unauthorized Computer Systems: This is the second type of computer
fraud, in which the victims access the unauthorized computer systems. These victims often do
not have any idea regarding unauthorized or authorized computer systems and they use the
unauthorized computer systems, hence creating a major issue for each and every confidential
data or information that is needed to be stored effectively (Liao, Balasinorwala & Rao, 2017).
iii) Engagement of Data Mining with Malware: The third type of computer fraud is
engaging data mining with malware or spyware. By this particular fraud, it becomes quite
easy for the attacker to get access of the data mining process and also remaining engaged
with the data mining by implementation of malware in the system.
iv) Illegal Accessibility of Personal Information: The illegal access to personal data
or information is responsible for stealing the confidential data in such a manner that when
data is being stolen, it becomes absolutely impossible to involve more targeted attacks, after
Document Page
9
IT SECURITY MANAGEMENT
focusing on the specified systems. Gupta and Gupta (2015) stated that, the most common
examples of such attacks is cross site scripting or XSS attack and it could leverage malware
on one site for running malicious codes for the respective organization.
v) Sending Computer Viruses: The organizational data could be lost forever and there
would be no scope for recovering the data if computer viruses are being involved by the
attackers within the systems and computers of that particular company (Sadaoui, Wang & Qi,
2015). Sensitive information is being stolen in this process.
vi) DoS Attacks: In this type of attack, an attempt is made by the attacker to prevent
anyone from getting connected to the Internet with a computer. Unwanted data is being
restricted in the process and Internet traffic is blocked for sending or receiving any type of
message. It has a major impact on the organization, since they are unable to send or receive
information in this process.
3. Evidence of Involvement of IT Employees
It is being often proved that IT employees are highly involved with the computer
fraud and hence it is also termed as insider threats. The existing or new IT employees have
insider information for concerning regarding organizational security practices, computer
systems and confidential data (Button & Cross, 2017). The involvement of these employees
in computer fraud can bring out issues such as theft of confidential information and even
intellectual properties. They could even sabotage the computer systems completely.
One of the most popular evidence of such involvement of IT employees in computer
fraud is Jason Needham. He was the co-owner of HNA Engineering and was charged for
violating Computer Fraud and Abuse Act, which put into prison for 5 years with $250000
fine. He used to work in Allen and Hoshall before starting his own firm (Cyber Insider
Threat. 2017). During 2014 and 2016, he continuously accessed the file sharing network and
email accounts of the servers of his former company for downloading digitally rendered
engineering schematics with over 100 PDFs with budgetary documents. He accessed for
hundred times the email account of his colleague in Allen and Hoshall for breaching the data
and finally the IT staff found out the issue and reported to the FBI.
4. Few Possible Mechanisms for avoiding Fraud
The few possible mechanisms for avoiding computer fraud are as follows:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
10
IT SECURITY MANAGEMENT
i) Regular Inspection on the IT Employees: According to Han and Xiao (2017), the
IT employees should be inspected on a regular basis, so that they do not get the scope for
stealing the data confidential data or breaching data under any circumstance. As a result,
these IT employees would be able to complete their duties efficiently and computer fraud
could be avoided without much complexity in the business.
ii) Implementing Antivirus Software: The second effective and significant
mechanism for solving such issues would be implementation of antivirus software. This type
of software act as a shield to any kind of unauthenticated or unauthorized data and providing
security from virus or ransomware.
iii) Using Stronger Passwords and Encryption: This is yet another vital and
noteworthy mechanism that is effective for computer fraud (Gupta & Gupta, 2015). Stronger
passwords and encryption techniques encrypt the confidential data into an encrypted or
hidden form and hence attackers do not get an opportunity to hack the data at any cost.
5. Conclusion
Hence, conclusion could be drawn that computer fraud can be of different types such
as phishing, viruses, DDoS attacks and social engineering attacks that are being utilized for
obtaining accessibility to any other network. It is the utilization of computers, Internet
devices or services for defrauding organizational resources or people. Since smart phones and
devices have become extremely common in present days, computer fraud is being used by
several cyber criminals. It even included perpetuating several common types of scams with
electronic tools like impersonating the victim for stealing data or money and even utilizing
electronic tools for promoting deals. The above literature review has clearly described about
computer fraud with relevant details.
Document Page
11
IT SECURITY MANAGEMENT
References
Angst, C. M., Block, E. S., D'arcy, J., & Kelley, K. (2017). When do IT security investments
matter? Accounting for the influence of institutional factors in the context of
healthcare data breaches. Mis Quarterly, 41(3).
Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A phishing
threat avoidance perspective. Computers in Human Behavior, 38, 304-312.
Boyle, R. J., & Panko, R. R. (2014). Corporate computer security. Prentice Hall Press.
Button, M., & Cross, C. (2017). Cyber frauds, scams and their victims. Routledge.
Button, M., Nicholls, C. M., Kerr, J., & Owen, R. (2014). Online frauds: Learning from
victims why they fall for these scams. Australian & New Zealand journal of
criminology, 47(3), 391-408.
Cyber Insider Threat. (2017). Accessed from https://www.cdse.edu/documents/cdse/Case-
Study-Cyber-Insider-Threat.pdf [Accessed on 20 September 2019].
Elmaghraby, A. S., & Losavio, M. M. (2014). Cyber security challenges in Smart Cities:
Safety, security and privacy. Journal of advanced research, 5(4), 491-497.
Fennelly, L. (2016). Effective physical security. Butterworth-Heinemann.
Goldstein, A., & Frank, U. (2016). Components of a multi-perspective modeling method for
designing and managing IT security systems. Information Systems and e-Business
Management, 14(1), 101-140.
Gupta, P. K., & Gupta, S. (2015). Corporate frauds in India–perceptions and emerging
issues. Journal of Financial Crime, 22(1), 79-103.
Han, W., & Xiao, Y. (2017). A novel detector to detect colluded non-technical loss frauds in
smart grid. Computer Networks, 117, 19-31.
Hänsch, N., & Benenson, Z. (2014, September). Specifying IT security awareness. In 2014
25th International Workshop on Database and Expert Systems Applications (pp. 326-
330). IEEE.
Document Page
12
IT SECURITY MANAGEMENT
Jaferian, P., Hawkey, K., Sotirakopoulos, A., Velez-Rojas, M., & Beznosov, K. (2014).
Heuristics for evaluating IT security management tools. Human–Computer
Interaction, 29(4), 311-350.
Liao, R., Balasinorwala, S., & Rao, H. R. (2017). Computer assisted frauds: An examination
of offender and offense characteristics in relation to arrests. Information Systems
Frontiers, 19(3), 443-455.
Maglaras, L. A., Kim, K. H., Janicke, H., Ferrag, M. A., Rallis, S., Fragkou, P., ... & Cruz, T.
J. (2018). Cyber security of critical infrastructures. Ict Express, 4(1), 42-45.
Mukundan, N. R., & Sai, L. P. (2014). Perceived information security of internal users in
Indian IT services industry. Information Technology and Management, 15(1), 1-8.
Rubóczki, E. S., & Rajnai, Z. (2015). Moving towards cloud security. Interdisciplinary
Description of Complex Systems: INDECS, 13(1), 9-14.
Sadaoui, S., Wang, X., & Qi, D. (2015, June). A real-time monitoring framework for online
auctions frauds. In International Conference on Industrial, Engineering and Other
Applications of Applied Intelligent Systems (pp. 97-108). Springer, Cham.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance
model in organizations. computers & security, 56, 70-82.
Shoven, J. B., & Slavov, S. N. (2014). Does it pay to delay social security?. Journal of
Pension Economics & Finance, 13(2), 121-144.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), 217-
224.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs
more holistic approach: A literature review. International Journal of Information
Management, 36(2), 215-225.
Vahdati, S., & Yasini, N. (2015). Factors affecting internet frauds in private sector: A case
study in cyberspace surveillance and scam monitoring agency of Iran. Computers in
Human Behavior, 51, 180-187.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
13
IT SECURITY MANAGEMENT
Van Tilborg, H. C., & Jajodia, S. (Eds.). (2014). Encyclopedia of cryptography and security.
Springer Science & Business Media.
1 out of 14
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]