Home Depot, Another Careless Retailer

Published On September 22, 2014 | By Tom Huskerson | News and Analysis

1024px-TheHomeDepot.svgIts has become the largest POS hack in history. And the result is 56 million credit and debit cards have been compromised. And it seems this may have been completely preventable.

First things first, if you have been to Home Depot in the last six months then you could be vulnerable. You need to either change your PIN or just demand new cards. Call your bank and don’t take no for an answer. If they give you any back talk take your business elsewhere.

The breach became known in September. Home Depot said in a statement: “Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks.”  The attack was focused on the self-service checkouts in Home Depot stores.

But was this a new and unknown malware? Maybe not. According to Computer Business Review the malware was the same stuff used to attack Target Stores. 

But if reports are correct this did not have to happen. According  to the New York Times and former employees Home Depot simply ignored its own security experts who warned the company that they were prime targets for hackers as early as 2008. 

Long before this massive breach became known Home Depot poorly managed the security of its IT systems.  According to former members of the company’s cyber security team who requested anonymity the company was slow to respond to early threats and only belatedly took action.

According to the New York Times report Home Depot used outdated software to protect its network and did not regularly scan systems that handled customer information. People who have worked in Home Depot’s security group recently said management failed to take such threats seriously. According to sources managers relied on outdated Symantec antivirus software from 2007.  Home Depot also failed to regularly monitor their network for unusual behavior such as an unknown server communicating with its checkout registers.

Some members of the Home Depot security team left the company because of the lack of management action on the matter.  Others members questioned how Home Depot could have met industry standards for protecting customer data. The situation was so bad that one of the security experts even warned friends to avoid using credit cards and pay with cash at the company’s stores.

But it gets worse! In 2012, Home Depot hired Ricky Joe Mitchell, a security engineer to help manage security at its 2,200 stores. He was quickly promoted to a position where he was in charge of security systems for Home Depot’s stores. But just recently Mitchell was convicted of disabling the computers of his former employer and sentenced to four years in prison. 

Several of Home Depot’s former employees were not surprised the company had been hacked. According to them they warned the company and sought to correct the situation. They said that when they asked for new software and training, management responded with; “We sell hammers.”

Breaking it down

If you think for a minute that this is unique in the retail industry you would be wrong. If you think for a minute that retailers care about real security and protecting you. You would be wrong again. Retailers are sloppy. They don’t care about you. What you have just read is fairly indicative of the issues that are plaguing the retail payment system. The industry is full of managers who are either unaware or don’t understand what is happening. So when those that do see the writing on the wall speak up they answer. “We sell hammers.” What they should be saying is, “We have hammers for brains!”

And the upper levels of management are looking at the bottom line and seeing that it is still cheaper to pay off claims rather than employ effective security. I have a funny feeling that Home Depot is about to learn a lesson here. 

Until we have a serious re-thinking of the way we secure our payment systems we are going to keep seeing this happen. New cards, new ways to pay including Apple Pay is what is needed to fully secure our money. And did I forget some more effective federal laws and standards to protect the consumer. Its a sad fact that we are wide open to these attacks because industry and government refuse to act. They like things just the way they are. Industry enjoys the protection of the courts who have ruled that unless you can prove actual damages the retail customer can’t sue the retailer who lost the data. They are saying, your data was compromised…and…

The U.S. government is willfully ignorant and reluctant to deal with this growing problem. I believe these data breaches threaten our economic future. Both in the areas of wealth, data and technology loss. We need to do something or we can just kiss it all goodbye.

Like this Article? Share it!

About The Author

Tom Huskerson Bio Born in Richmond Virginia Tom Huskerson is a military veteran who settled in California after his discharge. He attended Santa Barbara City College where he began his writing career as a campus reporter. He worked as an intern news reporter for the Santa Barbara News-Press writing feature stories before moving on to San Francisco. At San Francisco State University Tom studied broadcast communications and began to focus on the Internet. He completed his graduate thesis on Internet advertising. Tom was the first student to ever focus on the Internet as a graduate student at San Francisco State University. After graduation he went to work for Zona Research in California’s Silicone Valley. As a research associate Tom supported senior analyst writing on the latest developments in the Internet industry. During the dot com boom Tom worked for several web businesses as a market researcher and analyst. As a writer and researcher Tom has authored various technical works including a training program for Charles Schwab security. Other projects included professional presentations on workplace violence and hiring security contractors. Tom has returned to focus on writing both fiction and non-fiction works and blogging for a travel website. He has published two books of short stories and completed two novels. Tom is the owner of Scribe of Life Literature and EbonyCandle. Most recently Tom has launched the blog African American Cyber Report. The blog is the result of his desire to inform the African American community of the dangers and benefits of the cyber age. In his blog Tom reports on information security, new and analysis, scams and hoaxes, legal happenings and various topics that arise from the age of information. Tom believes that technology is a necessary tool for black people and they should know what is happening. Tom writes believing that techno speak is for the professional and that valuable information can be communicated using plain language. As a result he has embraced the motto, Less Tech, More Knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *