Home Depot Security Breach – How Will it Affect Investor Confidence?
October 27, 2014
By Marc Fogarty, CPA, CFE
Last February, I wrote a blog that looked at the Target breach – how it was handled and how it affected consumer and investor confidence. Just seven months later, Home Depot is in the news for what is being deemed the largest retail data breach in history, exposing credit card information of 56 million customers. Here’s a look at the current fall out.
The headline in a recent news article from the New York Times, “Ex-Employees Say Home Depot Left Data Vulnerable,” is really going to be a challenge for Home Depot’s public relations department. The article’s sources are purported to be former members of Home Depot’s cybersecurity team. They claim that Home Depot did not follow basic compliance requirements and security risk management procedures were not taken seriously.
Home Depot has put out statements to the contrary, stating specifically what they have done this year to mitigate risk, such as encrypting register systems and using a new smart-chip based payment method. But it may have been 'too little, too late' since the breach took place between April and September of this year. That’s five months of fraud that went undetected.
The Target breach occurred last holiday season and Home Depot said that, as a result, they brought in experts in January to evaluate their own risk. By April, they had started the introduction of enhanced encryption at registers. By the time the security enhancements in U.S. stores were fully implemented in early September, their security breach had already occurred.
What’s the take away? Public and private companies should be evaluating their risk exposure on an ongoing basis, not just as a reaction to a breach in their industry. Being proactive, rather than reactive, can help thwart an attack, or at least discover it much sooner so mitigation strategies can be put in place.
For public companies in particular, a data breach can have dramatic effects on investor confidence. The huge outlay of expenses related to a security breach will take some time to surface in the accounting and financial reporting of a public company, so it will also take some time to assess the total financial impact. Currently, for Home Depot, investor confidence has not seemed to change. Home Depot's stock in the last six months has had some small fluctuation, but then saw a sharp increase in August. Only a small dip is noticeable after the September breach announcement, and the stock was back up as of the date this blog was written. This is in contrast to the sharp decline Target experienced after their data breach announcement earlier this year.