Home Depot Knew About Data Vulnerability in 2008

TwitterGoogle+FacebookLinkedInPinterestTumblrStumbleUponRedditShare This

Alvin Bryan

Alvin Bryan is a freelance writer and online privacy enthusiast enthusiast currently contributing quality tips and troubleshooting on personal VPN services, and online privacy and security news. You can also find him on Google +.

The Home Depot hack put an estimated 56 million accounts at risk. The credit cards used at the store could be used for fraudulent purchases amounting to about 3 billion US dollars. Home Depot says they are doing all they can to protect customers from the data vulnerability. But former employees say that the chain knew about their data vulnerability since 2008.

Biggest Data Breach in History Could Have Been Easily Averted

Home Depot Data VulnerabilityEmployees of Home Depot in 2008 warned the store that there was a data vulnerability in their systems. But repeated warnings from these computer savvy employees about probable hacks did not resonate with the chain. Home Depot did little to increase security for the millions of customers it serves nationwide. Now we learn that the attack on this home improvement giant is the biggest that any retailer has ever experienced. They confirmed last Thursday that 56 million customer credit cards were compromised because of the data vulnerability. One credit monitoring company says that the stolen card numbers could result in losses of up to $3 billion. Some cards are already available on the black market.

Former employees say that Home Depot has handled system security very poorly for the past six years. Some left Home Depot because their data vulnerability concerns were not taken seriously. They still work in the cyber security industry, however, and have been watching their old company since they reported the data vulnerability. They say that the attack was successful because the company did not act promptly and did not do enough to secure their systems.

Home Depot used outdated software and did not perform regular or thorough security scans. Outdated software does little to protect computer systems because it has no power to detect new attack methods. The slipshod scanning practice allowed too much room for attackers to exploit the data vulnerability unnoticed. They finally hired a security engineer in 2012, but he was recently thrown in jail for security sabotage.

Data Vulnerability PCI StandardsThe country has a good industry standard for the protection of customer data. But how did Home Depot get away with their sloppy security practices? The Payment Card Industry Security Standards Council big requires retailers to conduct quarterly credit card industry security scans approved by third-party quality security assessors. But Home Depot performed these simple and cheap tests on only a few of their outlets, according to former security employees. The PCI Council did not make any comment. Home Depot may have slipped past industry watchdogs, but they will not escape public and media scrutiny for their negligence.

Hackers Used New Malware to Exploit Data Vulnerability

Home Depot’s official statement about the data breach stands on the idea that attackers used a new type of malware. The supposition is that even if they had performed more thorough security checks, they would not have been able to easily detect the intrusion. Company spokesperson Stephen Holmes says that Home Depot has strong security and has added measures for better data protection. Among these is the encryption of registers and a move over to smart-chip payment systems. But this was completed only last week. The store says that they have eliminated this latest threat, but we may still see many customers using cash there instead of credit cards.

Data Vulnerability MalwareDespite the claims that hackers used never before seen malware, retailers should know that this is par for the course. Attackers will always use new methods to avoid detection by updated security systems. The fact remains that the Home Depot breach was so huge not because of any new malware, but because their data security system was seriously faulty. They did not pay attention to the known data vulnerability detected six years earlier. Retailers are generally not taking security seriously, as evidenced by attacks on Albertsons, Goodwill Industries, Neiman Marcus, Target, UPS, and hundreds of others. Security experts have been saying for years that if retailers would talk to each other about security, it would help to greatly reduce the potential for successful attacks. Yet they remain tight-lipped, treating data vulnerability and security as an industrial secret.

The malware that hit Home Depot has been identified as a variation of the same malware that hit Target. Target also missed the warning signs, but this should have alerted other chains to probable attacks. Security researchers say that Home Depot has no excuse for not reacting fast enough to the Target breach. The retail chain did begin encrypting payment systems at this point. But they did not detect that hackers were already in the system, so it was too late to matter in this case. The government has issued a warning that as many as a thousand retailers may be unknowingly under attack by the same malware family. Security experts again urge companies to check their systems now and start applying proper security measures for the future.

3 thoughts on “Home Depot Knew About Data Vulnerability in 2008

  1. They should have warned us so we could check and secure our cards immediately. Hackers can do a lot of damage in a month before the statement comes out.

  2. Companies always do this. They just really don;t care if people get robbed, especially when they don’t need to pay for it. I guess they also know that most people don’t care either because they can get their money back and they are too lazy to find another store.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>