Bit by bit, information about the Home Depot security breach is coming to light, and the picture it paints is extremely unflattering for the retailer.
The latest insight comes from former Home Depot IT employees and members of its cybersecurity team, who told the New York Times that the company was lax and slow-moving when it came to setting up defenses against cyber attackers.
The company still uses Symantec antivirus software from 2007; does not perform network monitoring in order to spot unusual behavior; performs system and vulnerability scans irregularly and incompletely – the security staff was even not allowed to scan some systems handling customer information; and, finally, in 2012, the company employed a security engineer that was sentenced this April to four years in federal prison because he was found guilty of disabling the computers of his previous employers.
Most of these former employees left the company of their own accord, after their requests for new software and training were repeatedly dismissed by managers saying: “We sell hammers.”
The company’s bigwigs have apparently been galvanized into doing something only after the Target breach. Home Depot CEO reacted by setting up a team to protect the company’s networks, and has called in outside experts from Voltage Security to help with the introduction of enhanced encryption for payment data. Unfortunately, the move came to late, as the attackers were already inside.
Despite Home Depot’s recent statement that “the hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and any terminals identified with malware were taken out of service,” the ex-employees’ insight into how information and system security was handled in the company should make us extremely skeptical about the retailer’s claims.
As one of them advised to friends, using cash instead of payment cards is the best thing to do when shopping at Home Depot.
The attack against the company is estimated to have put at risk approximately 56 million unique payment cards, information of some of which is already being sold on carder forums.