The Home Depot breach just keeps getting worse. The number of fraudulent deals from compromised cards is increasing and the company is coming under fire. What’s worse is that apparently Home Depot knew there could be problems, but chose to ignore them.
The New York Times reported in a story by Julie Creswell and Nicole Perlroth that Home Depot may have known it was vulnerable to hackers:
The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers.
But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.
Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said. Interviews with former members of the company’s cybersecurity team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.
In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.
Robin Sidel reported for The Wall Street Journal that after the breach, fraud is spreading:
A large data breach at Home Depot Inc. has started to trigger fraudulent transactions that are rippling across financial institutions and, in some cases, draining cash from customer bank accounts, according to people familiar with the impact of the hacking attack.
The fraudulent transactions are showing up across the U.S. as criminals use stolen card information to buy prepaid cards, electronics and even groceries, these people said. In some cases, the fraudulent transactions have been tracked to batches of cardholder accounts that are tied to specific ZIP Codes, they said.
Financial institutions also are stepping up efforts to block the transactions by rejecting them if they appear unusual. Home Depot has said that 56 million cards may have been exposed in a five-month attack on its payment terminals.
The trends are all too familiar to thousands of the nation’s financial institutions, which have spent much of the year trying to root out fraudulent transactions tied to breaches at merchants like Target Corp., Neiman Marcus Group Ltd., grocer Supervalu Inc. and Asian restaurant chain P.F. Chang’s China Bistro Inc.
Yahoo! News reported in a story by Chris Smith that employees had been skirting security measures:
Former employees have revealed the company has been ignoring proper security procedures for years, dismissing security concerns that may have arisen. The company apparently relied on older software to protect its terminals and did not perform thorough security scans in previous years, in spite of what security team members advised. One former Home Depot security member left the company following disagreements with management, and told friends to use cash when purchasing goods from Home Depot stores.
Home Depot in 2012 even hired a security engineer to oversee security at its 2,200 stores, but he was later found to have disabled computers of a former employer for more than a month. He is now serving a four years sentence in federal prison.
Former employees further said that they did ask for new software in previous years, as well as better training, but company management always responded that Home Depot sells hammers.
The Times story went as far as to accuse managers of ignoring warnings from employees.
Several people who have worked in Home Depot’s security group in recent years said managers failed to take such threats as seriously as they should have. They said managers relied on outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.
Also, the company performed vulnerability scans irregularly on the dozen or so computer systems inside its stores and often scanned only a small number of stores. Credit card industry security rules require large retailers like Home Depot to conduct such scans at least once a quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs. The P.C.I. Council requires that approved, third-party quality security assessors perform routine tests to ensure that merchants are compliant.
And yet, two former employees said, while Home Depot data centers in Austin, Tex., and Atlanta were scanned, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff. A spokeswoman for the P.C.I. Council in Wakefield, Mass., declined to comment on Home Depot specifically.
These reports could make it difficult for Home Depot going forward, particularly if anyone tries to hold it liable for losses stemming from the data breach. It’s the biggest in consumer history and many other companies are paying for losses that may have been preventable.
