Running Head: SECURITY BREACHES: A CASE STUDY EVALUATION

Security Breaches: A Case Study Evaluation

Of British Airways and Home Depot
John Faulkner
Dr. Bartel CS 391

University of Alabama

SECURITY BREACHES: A CASE STUDY EVALUATION

2

Abstract

The purpose of this paper is to review two data breaches that occurred at two separate
companies. These breaches impacted customers in different ways but both call into question the
amount of protection that companies place on safeguarding their data. This paper will detail
what happened in each situation, who it impacted, what was breached, how it occurred, how the
attack could be prevented and how each company responded to the situation. This paper will
also make clear the need for companies to better protect data.

SECURITY BREACHES: A CASE STUDY EVALUATION

3

British Airways Attack

British Airways was the subject of a hacker that was attempting to discover vulnerabilities in the
airlines computer systems. As part of this attack, the perpetrator was able to access tens of
thousands of frequent flier accounts in a database that houses information for the airline. The
company has said that no personal data was compromised, but according to The Guardian
(2015), it did freeze the accounts of many high-level frequent fliers rendering them unable to
redeem their earned miles toward award travel for a short period of time.

This attack was done using an automated system that was looking for ways to access British
Airlines computer systems through any vulnerability. It was most likely the result of a hacker or
even possibly a cracker. However, since no data was stolen and sold, it appears to be the work
of a hacker. British Airways reacted to this attack by protecting, but inconveniencing its
customers and initiating a public relations reassurance campaign. As an airline, it has a duty to
maintain a computer system that is secure from attack and penetration. This company should
step up their cyber security practice and be proactively looking for holes in their security to
reduce the window of vulnerability to as small as possible.

Home Depot Data Breach

In late April or early May of 2014, the Home Depot Corporation was the target of perpetrators
that stole over 56 million customers credit and debit cards from Home Depots cash register
system and sold the data on the black market (Ideas, issues, knowledge, data - visualized!, N.D.).
This theft and unauthorized access was discovered in September of the same year when many
banks were correlating a mass amount of fraud and linking it all bank to Home Depot (Krebs,

SECURITY BREACHES: A CASE STUDY EVALUATION

4

2014). As you can see, this crime not only impacted the customers who shopped at Home Depot
and used a credit or debit card, but it also has caused harm to the banks that the customers use.
These banks were the ones who were left to connect the dots and lead investigators to Home
Depot as the source of the mass fraud.

The data was obtained by the perpetrators who installed malware in the cash register system of
over 2,200 Home Depot stores (Ideas, issues, knowledge, data - visualized!, N.D.). Krebs
(2014) speculated that the same group of perpetrators who conducted this crime also was behind
the crime at Target and P.F. Changs among others. This type of crime is fitting of a cracker or
cybercriminal.

Tighter control of access to the core computer systems as well as internal

penetration testing and security checks could have aided to prevent this time of attack and theft.
In addition to the above suggestions, merchants and customers can be better protection by the
implementation of chip and pin technology. Home Depot (2014) acknowledged in their press
release that better encryption and chip-and-pin will become part of the toolset used to prevent
this type of breach.

The banks that were impacted by this crime purchased the list of stolen credit and debit card
numbers from a website and then notified Home Depot (Krebs, 2014). Home Depot
immediately took action to investigate the breach and ultimately acknowledge the crime. As
part of the effort to remediate the event, Home Depot offered free identity protection for all
customers who used a credit or debit card during the time of the incident (Home Depot, 2014).

SECURITY BREACHES: A CASE STUDY EVALUATION

5

Conclusion

The two studies above are just two of hundreds data breaches that occur in the world each year.
There are always several victims who are impacted by these crimes. Businesses are always in a
position of defense when these attacks occur, but should reposition their efforts to be proactive in
preventing access to their data. With increasing levels of security comes a great need for
increased testing and proactive measure to ensure access is truly restricted to only those who
have a need. In addition, implementing new process and procedures that keep up with changes
in the way we process credit and debit card data can also reduce the impact of a breach.
Companies face an uphill challenge to cybercrimes. Even as technology gets better, perpetrators
get smarter and better. This type of crime will persist until every business learns to properly
safeguard their data.

SECURITY BREACHES: A CASE STUDY EVALUATION

6

References

Krebs, B. (2014, September 14).Banks: Credit Card Breach at Home Depot. Retrieved May 20,
2016, from http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
Ideas, issues, knowledge, data - visualized! (n.d.). Worlds Biggest Data Breaches. Retrieved
May 20, 2016, from http://www.informationisbeautiful.net/visualizations/worlds-biggestdata-breaches-hacks/
The Guardian (2015, March 29). British Airways frequent-flyer accounts hacked. Retrieved May
20, 2016, from https://www.theguardian.com/business/2015/mar/29/british-airwaysfrequent-flyer-accounts-hacked
Home Depot. (2014) The Home Depot Reports Findings in Payment Data Breach
Investigation[Press release]. Retrieved from
https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf