Last week Home Depot admitted that cyber criminals stole an estimated 56 million debit and credit card numbers from Home Depot customers between April and September 2014. That’s roughly 16 million more than the Target breach and the largest retail card breach on record. If the information from former Home Depot security employees is in fact true, then it’s a wonder that the stolen card total wasn't dramatically higher. What went wrong and what can other organizations learn from Home Depot's missteps?
According to former employees here are the 4 big mistakes that left Home Depot vulnerable.
- Relied on outdated software to protect its network. Home Depot used 2007 Symantec antivirus software and didn’t continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.
- Scanned systems with customer data inconsistently and incompletely. Home Depot performed vulnerability scans on computer systems inside its stores irregularly. More than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.
- Performed inadequate background checks of key security personnel. In 2012, Home Depot hired and promoted a security engineer to oversee their security systems. In April of this year, that employee was sentenced to four years in prison for performing a factory reset on his former employers' servers.
- Ignored employee pleas for new security software and training. Several former Home Depot employees told the New York Times that when they sought new software and training over the years, managers came back with the same response:
We sell hammers.
These breaches are being executed by sophisticated international cyber criminals. If executives are not setting the right tone and providing their security teams with proper resources, then these breaches are going to get even worse before they get better.
Dan Geer: The 5 Myths Holding Your Security Program Back
Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.
Related ArticlesThe Security Hot Seat: HealthCare.gov
Welcome to our newest blog feature, The Security Hot Seat. Every Monday we will put a person or organization in the Hot Seat based on the security news of the past week. We picked quite a week to kick this off!The Security Hot Seat: Personal Device Encyption
This week' s Hot Seat features the latest issue in the debate on personal privacy vs. national securityThe Security Hot Seat: Cyber Risk
Cyber risk in the Hot Seat after being identified as top concern for financial services industry.