Once again, a third-party vendor is at the root of a major data breach. This time it is Home Depot releasing details on the breach that was revealed earlier this fall. As CNET reported:
Hackers entered Home Depot's network using credentials stolen from a third-party vendor, the company said in a press release. That access allowed hackers to work their way through Home Depot's network to its self-checkout machines in the US and Canada, where they inserted malicious software to steal customers' card numbers.
I have not seen any reports on what role this third-party vendor has in the Home Depot supply chain, but it could be anything. After all, the Target breach was the result of an HVAC vendor. As Tom Bain, SVP, CounterTack, told me in an email:
The supply chain of partners, customers and vendors has often times been overlooked by retailers. However, what the Target and Home Depot breaches show us is that retailers need to tighten integration between inventory, teams and systems. Contributing to the ‘third party’ issues retailers face is outdated software as well as getting a better grasp with who is being granted shared access to the retailer’s networks. There are just simply too many gaps along the entire supply chain.
It would be easy to stop right there and go into yet another discussion on the risk of third-party threats. But there is a second component to Home Depot’s announcement from last week: To go along with the 50+ million credit cards stolen or compromised, 53 million email addresses were also stolen. According to eSecurity Planet:
The files containing the email addresses did not contain passwords, financial information or any other sensitive personal information.
That’s the good news, I guess. We don’t usually think much about email addresses being stolen, especially if that theft doesn’t include other personal information or our passwords. After all, our email address is our “public face” online. It’s how customers and potential clients reach out to us. It’s how we communicate. I get plenty of emails in response to this blog from people I don’t know, for example, because my email is out there and easy to find. That goes for most business emails, but also for personal email addresses. However, perhaps sharing our email address is a greater risk than we’ve realized. As Rob Shavell, CEO with Abine told me (via email, of course), we tend to hand our email address out too routinely, and we need to rethink that:
Chances are your email or a family member’s is now being sold online - perhaps matched with corresponding credit card information. In particular, everyone should be more cautious about sharing their real email when they are creating accounts with passwords, because most people re-use passwords across sites. This allows hackers to easily run "scripts," which try and submit your email and password to up to 1,000 web site login pages for a second. If you’ve re-used the same email and password, they easily have full access to all those accounts.
Many employees still use their professional email as their all-purpose email, unwittingly giving criminals access to the company network. It’s time to encourage the use of personal emails for personal use and keep professional emails for work purposes only.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba