I was hardly surprised to see Home Depot-related emails showing up in my inbox over the weekend. After all, it may be the largest breach ever, with at least 56 million credit cards compromised.
It also now appears that Home Depot is the new poster child for what happens to a company, both in terms of data loss and of its reputation, when it ignores the warnings that it is at a high threat level.
According to a number of reports, Home Depot management had been warned for years – years – that its network was vulnerable to a serious cybersecurity attack. But it appears that upper management refused to take these warnings seriously. The New York Times reported:
In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.
To make matters worse, when the company did finally hire someone to handle security, they brought in someone who was a known insider threat, according to Ars Technica:
In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating in Charleston, West Virginia—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.
And yes, it does get worse. I first wrote about the Home Depot breach on September 4, after I had heard about it right after Labor Day. It took the company until September 18 to release a statement confirming the breach.
I don’t mean to sound like I’m picking on them, but it is an example of almost every possible security misstep that I can think of. Top management ignored warnings from its own security professionals, then they hired a person who was an insider threat within another company (and then retained him even after he was indicted), and they finally admitted a problem existed three weeks after security reporters and mainstream media were reporting the news.
Expect this type of breach to continue happening at retail outlets of all sizes. As Adam Kujawa, head of malware intelligence at Malwarebytes Labs, told me in an email:
The Home Depot incident, as well as all of the other POS incidents that have happened over the last year, are showing us that a lot of retailers are taking shortcuts when it comes to the security of their customers’ financial data for the sake of speed and efficiency. I don’t necessarily blame them since they just want to make the customers happy but I imagine that they never considered the possibility of these attacks actually happening on a large scale.
The attacks on such businesses are getting more creative, which means that companies need to be more vigilant about security than ever before. And that begins with a very simple step: When your security team tells you that your system is vulnerable to an attack, provide them with the funds to get it fixed.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba