“… The Company Was Slow to Respond to Early Threats and Only Belatedly Took Action.”
By now we’ve all heard about the latest credit card breach within Home Depot – that account information of 56 million cardholders was compromised in what is the largest known breach of a retail company’s computer network.
According to computer experts inside Home Depot, the risks were clear, and the company was warned for years that it might be easy prey for hackers.
Alarm bells were ringing as far back at 2008, but according to former employees, the home improvement chain was a wee bit slow to raise any proactive defence. The stolen data has popped up on black markets and could be used to make $3 billion in illegal purchases.
So why on earth did the company not do anything when information was first shared long ago by former employees on the company’s cybersecurity team – when these employees came forward to shed light on what they perceived was a possible breach in the making?
In the past Home Depot has relied on archaic software to protect its network and systems that handled customer information. As such, members of the company’s security team felt it in the company’s best interest to bring forth their concerns – but they say that management dismissed those concerns.
We’ve seen these thefts and fraudulent acts before at merchants, including Albertsons, Neiman Marcus, UPS, and of course, Target. Security experts say retailers have not only been complacent about security, they have also been reluctant to share information with one another.
Government officials estimate that as many as 1,000 retailers have been infiltrated by variations of the malware that first struck Target. They say many companies do not even know they have been breached…
… cue the security experts who know when there’s a potential for a data breach that management brushes aside.
And that’s how Target was caught “with its pants down” and the victim of theft of data on more than 40 million cards before the holiday season 2013.
Home Depot did assemble a team to determine how to protect the company’s network, after the Target fiasco. By April, the company started introducing, in some of its stores, enhanced encryption that scrambled payment information the moment a card was swiped. But lackadaisical follow through from management of important information brought forward by employees, meant that criminals were already knee deep into Home Depot’s systems. By September 2 when banks and law enforcement brought to light the breach, hackers had already been stealing millions of customers’ card information, unnoticed for months.
Prevention is the best medicine
This clearly shows the inconsistency, and misunderstanding, of the company’s corporate whistleblower policy and enforcement. In one of our posts earlier this month, Four Steps to Manage Your Whistleblower Complaints, we highlighted how important it is that a company investigate allegations of any possible fraud, quickly and thoroughly before it blows up to be a media spectacle like we are seeing with Home Depot today, and Target last holiday season.
Let’s reiterate two of these steps:
Address Every Allegation
By not ignoring any allegation brought forward by your employees, you’re showing an interest in what whistleblowers are experiencing that made them come forward in the first place. Home Depot’s security employees knew there was a potential for something bad to happen.
Keep Communicating With the Whistleblower
To keep reiterating this, the easiest way to avoid conflict with your whistleblower, and to prevent them from taking their story outside the company, is to continually communicate with them. Brushing off concerns is not an option. If employees know you are working with them to right perceived wrongs, you build trust and dedicated employees.
Every employee has their place in an organization. Each employee brings their own unique experience and knowledge to their position that upper management doesn’t necessarily understand at the granular level. Management at Home Depot needed to trust that their security team knew the ins and outs of the data, and that the potential for a data breach was a reality. Acknowledging these concerns right from the start, and having conversation with those employees to try to understand the details of these concerns, could have prevented this data breach of biblical proportions. And, these valuable employees would still be working for the company instead of leaving their position out of frustration from lack of action from management.
It’s important that employees have a safe place to anonymously bring forward any concerns that they have that could jeopardize the company’s future. It’s also equally important that this safe place, an ethics reporting system, has the ability to safely track each incident of corporate whistleblowing for the purpose of an audit and compliance trail.