All Tech Considered
2:09 pm
Wed September 3, 2014

I Feel Nothing: The Home Depot Hack And Data Breach Fatigue

Originally published on Mon September 8, 2014 9:33 am

How many megahacks have we consumers faced in recent memory?

Well, there was that Target one that affected something like 110 million of us. Earlier this year, Open SSL, the protocol that protects much of the Internet, was hit by the Heartbleed bug and exposed most of us. Then there was news that hackers got 1 billion email and other sign-in credentials this summer.

This weekend, the Internet imploded when some ne'er-do-wells stole and shared nude images of female celebrities. Hackers broke into the world's biggest bank, JPMorgan Chase. And not even Home Depot may be safe. Holes in the hardware giant's data security may have exposed more American credit card numbers than Target did.

You've certainly read the what-to-do-in-the-event-of-a-hack stories here, and elsewhere. How many times have we recommended looking at your credit card bills for any weird purchases, or had security experts remind us to change our passwords, or use two-factor authentication, or not trust the cloud with our most private images?

There are systemic issues that need to be fixed; namely why we're still using decades-old magnetic stripes on our credit cards when the rest of the world uses the more secure chip-and-PIN system. (While retailers like Target have tried to move to new systems, banks and Visa and MasterCard have been slow to switch consumers to more modern payment systems.)

And I am not saying that these crimes are small — they are costing our retailers and banks millions, if not billions of dollars to recover from these data hacks time and time again. Forbes wrote about the potential damage to Home Depot:

"If the breach did occur and is larger than Target's the debacle could cost Home Depot dearly. Last month Target said its breach cost $148 million and the mess eventually led to the ouster of CEO Gregg Steinhafel. Target shares are down more than 4% year-to-date."

But because banks are responsible for making us whole if our credit cards are misused, and we are simply issued new cards (an annoying hassle, but not life-altering), I join you in reacting to news of these hacks with a shrug.

"We are in the trough of disillusionment," says Gartner security analyst Avivah Litan. "Over 1,000 retailers have been hit; it's not limited to Home Depot. There are 999 others that no one's talking about."

Litan says we have become numb to this news because consumers always get paid back. And the criminals are stealing a lot more data than they can use. "So most people haven't had a lot of damage from this," Litan says. "Banks are so quick to reissue new cards, no one cares anymore."

But the damage does fall disproportionately on retailers. They spend a lot of money on security to prevent breaches of their payment systems and keep their names out of hacking-related news. But really, retailers must rely on the payment systems standardized by card issuers and the banks.

So when we ask why payment systems are insecure, it's bigger — much bigger — than a lack of security at Home Depot, or Target, or name-that-brand. It's really about an entire system that needs to play catch-up. Because we shop across many stores, and not just one, banks and card companies have to take the lead. So far, they've pledged to move to chip-and-PIN cards starting next year, but Litan says that could take seven to 10 years.

Cue the next hacking hype cycle.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.