Last week Home Depot admitted that cyber criminals stole an estimated 56 million debit and credit card numbers from Home Depot customers between April and September 2014. That’s roughly 16 million more than the Target breach and the largest retail card breach on record. If the information from former Home Depot security employees is in fact true, then it’s a wonder that the stolen card total wasn't dramatically higher. What went wrong and what can other organizations learn from Home Depot's missteps?
According to former employees here are the 4 big mistakes that left Home Depot vulnerable.
- Relied on outdated software to protect its network. Home Depot used 2007 Symantec antivirus software and didn’t continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.
- Scanned systems with customer data inconsistently and incompletely. Home Depot performed vulnerability scans on computer systems inside its stores irregularly. More than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.
- Performed inadequate background checks of key security personnel. In 2012, Home Depot hired and promoted a security engineer to oversee their security systems. In April of this year, that employee was sentenced to four years in prison for performing a factory reset on his former employers' servers.
- Ignored employee pleas for new security software and training. Several former Home Depot employees told the New York Times that when they sought new software and training over the years, managers came back with the same response:
We sell hammers.
These breaches are being executed by sophisticated international cyber criminals. If executives are not setting the right tone and providing their security teams with proper resources, then these breaches are going to get even worse before they get better.
Dan Geer: The 5 Myths Holding Your Security Program Back
Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.
Related ArticlesThe Security Hot Seat: Intellectual Property
IP in the Hot Seat after Hackers Charged with Theft of $100-200M in Xbox, U.S. Army DataThe Security Hot Seat: PCI Security Standard
As the number of card breaches hits new records, the industry standard created to prevent these breaches finds itself in the Hot SeatSecurity Hot Seat: Unpatched Drupal 7 Sites Compromised
The Open Source CMS Leader in the Hot Seat after Announcement of Widespread Compromise