Thursday, September 25, 2014

Home Depot's Security Breach

For the security team working at Home Depot, the risks of a data breach were very real. According to its employees, the company did not take its technology department seriously. Many vulnerabilities were never addressed since 2008. Some members of the security team left the company as their concerns were dismissed by management. The team members who stayed were surprised how Home Depot met industry standards to protect its customer’s data.

Unfortunately, for Home Depot, the breach leaked the credit cards of 56 million customers and the cards were used for an estimated $3 billion fraudulent transactions. Experts in the security industry blame these security breaches on companies who do not take technology seriously and do not invest in their technology departments. Another major problem, is that companies are reluctant to share information with one another about threats. Government officials believe that the malware that infected Home Depot’s systems is very similar to the malware that hit Target. Perhaps if Target had shared technical information about its breach with other retailers, Home Depot might have known that their systems were vulnerable as well. Furthermore, government officials also believe that many other small retailers have been breached by the same malware, hence sharing information about these threats can be valuable to companies.

A little after Target was attacked, Home Depot hired some security contractors to try to secure its network. This was the first time Home Depot took the security of its network seriously. However, by the time the team was able to asses Home Depot’s systems it was too late. It took a couple months for banks and law enforcement to notice that Home Depot was breached, and by that time it was too late for the security team to protect the company. Many of the cybersecurity employees at Home Depot said that the company was slow to respond to threats. The employees noticed some problems with Home Depot’s security. The company relied on symantec antivirus from 2007, and other outdated software to protect its infrastructure. The company  did not monitor its network activity, to see if its checkout registers were communicating to any weird servers in other countries. The company also performed scans irregularly on the computer systems at its stores, and only scanned a small number of its stores.

Credit card security standards require large retailers that process credit card transactions to scan their systems for vulnerabilities. PCI (Payment Card Industry Standard) also requires third party security firms to audit companies to make sure they are staying compliant with the latest standards. Former security employees claim that when Home Depot data centers were scanned, many systems handling customer data were off limits. The company had complied with PCI by excluding some its systems which were separated from the larger corporate network.

Even though monitoring and scanning its network is not a very costly process, Home Depot did not invest in its technology department. When employees requested new software and better security analysis, upper management came back with the same response “we sell hammers”. After this breach, management is taking threats from their security teams more seriously. Furthermore, the retail industry is starting to form associations to share technical information about their threats.



Source: http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html?src=mv

No comments:

Post a Comment