The Security Hot Seat: Home Depot

As the biggest payment card breach in history continues to unfold, the home improvement giant finds itself in the Security Hot Seat.

Last week Home Depot admitted that cyber criminals stole an estimated 56 million debit and credit card numbers from Home Depot customers between April and September 2014. That’s roughly 16 million more than the Target breach and the largest retail card breach on record. If the information from former Home Depot security employees is in fact true, then it’s a wonder that the stolen card total wasn't dramatically higher. What went wrong and what can other organizations learn from Home Depot's missteps?

According to former employees here are the 4 big mistakes that left Home Depot vulnerable.

  1. Relied on outdated software to protect its network. Home Depot used 2007 Symantec antivirus software and didn’t continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.
  2. Scanned systems with customer data inconsistently and incompletely. Home Depot performed vulnerability scans on computer systems inside its stores irregularly. More than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.
  3. Performed inadequate background checks of key security personnel. In 2012, Home Depot hired and promoted a security engineer to oversee their security systems. In April of this year, that employee was sentenced to four years in prison for performing a factory reset on his former employers' servers.
  4. Ignored employee pleas for new security software and training. Several former Home Depot employees told the New York Times that when they sought new software and training over the years, managers came back with the same response:

We sell hammers.

These breaches are being executed by sophisticated international cyber criminals. If executives are not setting the right tone and providing their security teams with proper resources, then these breaches are going to get even worse before they get better.

Brian Mullins

Dan Geer: The 5 Myths Holding Your Security Program Back

Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.

View Now

Related Articles
The Security Hot Seat: Intellectual Property

IP in the Hot Seat after Hackers Charged with Theft of $100-200M in Xbox, U.S. Army Data

The Security Hot Seat: PCI Security Standard

As the number of card breaches hits new records, the industry standard created to prevent these breaches finds itself in the Hot Seat

Security Hot Seat: Unpatched Drupal 7 Sites Compromised

The Open Source CMS Leader in the Hot Seat after Announcement of Widespread Compromise

Brian Mullins

Brian Mullins is vice president of product marketing at Digital Guardian. His team is responsible for strategic marketing at the product line level. Brian has over seven years of security executive experience in both data protection and identity and access management. He is a patent holder and winner of a Business Week International Design Excellence Award.

Please post your comments here