Ride the Lightning

Did Home Depot Invite Data Breach with "We Sell Hammers" Attitude?

September 23, 2014

Hat tip to Dave Ries.

According to a New York Times story, ex-employees of Home Depot have said that computer experts inside Home Depot warned the company as far back as 2008 that it might be easy prey for hackers but that it failed to respond.

Last Thursday, Home Depot confirmed that the biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data is being sold on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

Former members of the company’s cybersecurity team, speaking on the condition they not be named, described Home Depot's handling of security as a record of missteps. They spoke of outdated software and scanned systems that handled customer information irregularly as well as managers dismissive of their concerns.

In 2012, Home Depot hired a computer engineer to help oversee security at its 2,200 stores. In 2014, that engineer was sentenced to four years in prison for deliberately disabling computers at the company where he previously worked.

Home Depot has said that the malware which infiltrated its systems had not been seen before and was difficult to detect. It said that it had patched any holes and that it is now safe for customers to shop there. Cards used between April and September 2nd might be vulnerable to being used fraudulently. Home Depot says it has improved its security this year by encrypting register systems and switching to a new smart-chip-based payment standard in all stores.

However, by the time the company started using enhanced encryption that scrambled payment information the moment a card was swiped, cybercriminals were already deep in its networks.

Ex-employees say that managers relied on outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers. They said that the company performed vulnerability scans irregularly on the dozen or so computer systems inside its stores and often scanned only a small number of stores. Credit card industry security rules require large retailers to conduct such scans at least once a quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs. The P.C.I. Council requires that approved, third-party quality security assessors perform routine tests to ensure that merchants are compliant.

But two former employees said, while Home Depot data centers in Austin and Atlanta were scanned, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff. Home Depot said the industry standards included an exception from scanning store systems that are separated from larger corporate networks, and it said the company had complied with P.C.I. standards since 2009. Write A Comment

Ex-employees said they were not surprised the company had been hacked. They said that over the years, when they asked for new software and training, managers came back with the same response: “We sell hammers.”

In light of the dreadful post-breach publicity, and what appears to have been disdain for securing customer data, Home Depot may be selling fewer hammers.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq