Last week Home Depot admitted that cyber criminals stole an estimated 56 million debit and credit card numbers from Home Depot customers between April and September 2014. That’s roughly 16 million more than the Target breach and the largest retail card breach on record. If the information from former Home Depot security employees is in fact true, then it’s a wonder that the stolen card total wasn't dramatically higher. What went wrong and what can other organizations learn from Home Depot's missteps?
According to former employees here are the 4 big mistakes that left Home Depot vulnerable.
- Relied on outdated software to protect its network. Home Depot used 2007 Symantec antivirus software and didn’t continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.
- Scanned systems with customer data inconsistently and incompletely. Home Depot performed vulnerability scans on computer systems inside its stores irregularly. More than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.
- Performed inadequate background checks of key security personnel. In 2012, Home Depot hired and promoted a security engineer to oversee their security systems. In April of this year, that employee was sentenced to four years in prison for performing a factory reset on his former employers' servers.
- Ignored employee pleas for new security software and training. Several former Home Depot employees told the New York Times that when they sought new software and training over the years, managers came back with the same response:
We sell hammers.
These breaches are being executed by sophisticated international cyber criminals. If executives are not setting the right tone and providing their security teams with proper resources, then these breaches are going to get even worse before they get better.
Dan Geer: The 5 Myths Holding Your Security Program Back
Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.
Related ArticlesThe Security Hot Seat: Intellectual Property
IP in the Hot Seat after Hackers Charged with Theft of $100-200M in Xbox, U.S. Army DataThe Security Hot Seat: Personal Device Encyption
This week' s Hot Seat features the latest issue in the debate on personal privacy vs. national securityThe Security Hot Seat: Ernst & Young
As usual, there was no shortage of security news last week - the unraveling of the Home Depot breach, the discovery that banking malware Dyre has set its sights on Salesforce, and the release of 5 million Gmail logins by Russian hackers were just a few of the big stories. However, I decided to go with a slightly more bizarre selection for this week's Hot Seat.