The story behind the Home Depot breach continues to unravel bit by bit and as the pieces of the jigsaw start to fit together, the resulting picture doesn’t look pretty.
Not one bit.
According to an article in the New York Times, the situation appears to have been little more than shambolic in my opinion, with former staff and security team members telling the publication that defence mechanisms were out of date and that security response was lacking.
The timeline appears to have started around seven years ago when the company began employing Symantec antivirus 2007, only to never subsequently update it. The New York Times also reports that networks were not consistently monitored for signs of attack and that system and vulnerability scans were not only performed erratically, but were also not all-encompassing as security staff were blocked from checking certain systems, including those associated with handling customer information.
The fact that the company failed to perform even the most basic of scans on a regular basis, in conjunction with more than 12 customer information databases being outside of their remit, is alarming, if not surprising, to me at least.
Whether the company complied with payment card rules (it says it has since 2009) that mandate that such a large retailer should conduct comprehensive scans at least quarterly is unknown, as is the question of whether Home Depot employed the services of QSAs to regularly test compliance, but the allegations put forward by former employees certainly suggest the answer may be a resounding no.
In fact, things were so bad at Home Depot that employees reportedly left the company after being told by managers that the chain “sell[s] hammers” when they asked for new software and training.
Even when the company did make a positive step in 2012 by hiring a computer engineer, Ricky Joe Mitchell, to help oversee security at its 2,200 stores, things didn’t exactly go to plan – he was subsequently arrested and banged up for 4 years in a federal jail after he was found to have deliberately wiped the servers at his previous company.
Former security staff at the chain told the New York Times that their confidence in the company’s IT systems was so low that they even resorted to telling friends to avoid using credit cards to make payments, instead recommending cash as a safer alternative.
The company did react eventually though, bringing in experts from Voltage Security, but only after the Target breach was discovered. The move to roll out EMV credit card security and the deployment of encryption across company systems came too late though as the attackers had already gained entry to the systems, leading to the theft of 56 million customers’ payment cards. Such a haul eclipses the 40 million that were snaffled during the Target breach. Experts have already seen some information for sale on carder forums and the total value of the stolen data has been estimated to be worth up to $3 billion.
And, as if things couldn’t get any worse, Home Depot’s email to customers, advising them of the breach, has only just gone out, long after most of the world heard the news from other sources.
Also, as you can see, its somewhat short of useful, actionable advice:
Dear Valued Customer,
As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores. On September 18, 2014, we confirmed that the malware used in the breach has been eliminated from our U.S. and Canadian stores and that we have completed a major payment security project that provides enhanced encryption of payment data at point of sale throughout our U.S. stores, offering significant new protection for customers. There is no evidence that debit PIN numbers were compromised or that checks were impacted. Additionally, there is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.
We are offering customers who used a payment card at a Home Depot store in 2014, from April on, 12 months of free identity protection services, including credit monitoring, beginning on September 19, 2014. We apologize for the frustration and anxiety this may cause you and we thank you for your patience during this time.
For more information, please visit our website where you’ll find frequently asked questions, helpful tips, our Important Customer Notice, and information about how to take advantage of the free identity protection services, including credit monitoring. Should you have questions regarding the authenticity of this email or any additional questions over the coming days and weeks, please call 1-800-HOMEDEPOT.
We hope this information is useful and we appreciate your continued support.
The Home Depot
How do you rate Home Depot’s incident handling and response in this case?