By now the news of the massive payment card data breach at the Home Depot is well known. The company has acknowledged the theft of an estimated 56 million debit and credit card numbers, making it the largest retail breach on record.
In a September 18 press release confirming the breach, the merchant says malware discovered on its systems enabled the theft of card data this year between April and September 2, 2014. The malware has since been removed and the affected terminals have been cleaned or replaced. Moreover, the company is now installing new encryption technologies and EMV chip-and-PIN point-of-sale terminals.
Good moves, but it's too little, too late. The damage is done.
In a story reported by the New York Times on September 19, former Home Depot cybersecurity employees accuse the company of ignoring their concerns about insufficient system security for years. Apparently the warnings go back as far as 2008. Among the concerns:
- The Home Depot relied on outdated software to protect its network. Former employees said managers relied on antivirus software from 2007.
- The company failed to perform regular scans of the systems that handle customer information, despite the fact that compliance with PCI DSS requires quarterly scans, at minimum.
- Some systems that handle customer information were "off limits" to much of the security staff.
- The company did not continuously monitor the network for unusual behaviors that could have clued the experts in to data exfiltration.
In spite of the list of security shortcomings, the Home Depot says it has complied with PCI standards since 2009. Really? That would seem hard to believe if the allegations by the former security workers are true. And anyway, compliance with PCI DSS does not equate to having a secure environment.
When former cybersecurity employees went to their management to seek new software and training, they were given the odd response: "We sell hammers."
Who was in charge of this company during this time? Homer Simpson? Should they change the company name to "the Homer Depot"?
But wait – it gets even better. According to the NYT article, in 2012 the Home Depot hired a security engineer and quickly promoted him to a position in which he oversaw security systems at the company's stores. I guess they failed to do a thorough background check on this guy. As it turns out he had been fired from his previous place of employment, and before he left that job he disabled the company's computers—for a month! He was sentenced to four years in federal prison last April. D'oh!
The forensic investigation is still underway at Home Depot, but if it turns out that the company was as complacent about cybersecurity as the former employees allege, then I can imagine the class action lawsuits lining up behind the attorneys shouting "Let's do this!"
OK, I've had my bit of fun at the Home Depot's expense. I understand that trying to secure a point-of-sale environment that spans 2,200 stores across North America can't be easy. Let's hope that as the current company president also adds CEO to his title in a few weeks, he's not afraid to roll up his sleeves, don his work gloves and get busy building better cybersecurity across the company. He owes that much to employees, investors, card issuers and most of all, to 56 million customers.