Tag Archives: self serve checkout

Home Depot, Another Careless Retailer

1024px-TheHomeDepot.svgIts has become the largest POS hack in history. And the result is 56 million credit and debit cards have been compromised. And it seems this may have been completely preventable.

First things first, if you have been to Home Depot in the last six months then you could be vulnerable. You need to either change your PIN or just demand new cards. Call your bank and don’t take no for an answer. If they give you any back talk take your business elsewhere.

The breach became known in September. Home Depot said in a statement: “Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks.”  The attack was focused on the self-service checkouts in Home Depot stores.

But was this a new and unknown malware? Maybe not. According to Computer Business Review the malware was the same stuff used to attack Target Stores. 

But if reports are correct this did not have to happen. According  to the New York Times and former employees Home Depot simply ignored its own security experts who warned the company that they were prime targets for hackers as early as 2008. 

Long before this massive breach became known Home Depot poorly managed the security of its IT systems.  According to former members of the company’s cyber security team who requested anonymity the company was slow to respond to early threats and only belatedly took action.

According to the New York Times report Home Depot used outdated software to protect its network and did not regularly scan systems that handled customer information. People who have worked in Home Depot’s security group recently said management failed to take such threats seriously. According to sources managers relied on outdated Symantec antivirus software from 2007.  Home Depot also failed to regularly monitor their network for unusual behavior such as an unknown server communicating with its checkout registers.

Some members of the Home Depot security team left the company because of the lack of management action on the matter.  Others members questioned how Home Depot could have met industry standards for protecting customer data. The situation was so bad that one of the security experts even warned friends to avoid using credit cards and pay with cash at the company’s stores.

But it gets worse! In 2012, Home Depot hired Ricky Joe Mitchell, a security engineer to help manage security at its 2,200 stores. He was quickly promoted to a position where he was in charge of security systems for Home Depot’s stores. But just recently Mitchell was convicted of disabling the computers of his former employer and sentenced to four years in prison. 

Several of Home Depot’s former employees were not surprised the company had been hacked. According to them they warned the company and sought to correct the situation. They said that when they asked for new software and training, management responded with; “We sell hammers.”

Breaking it down

If you think for a minute that this is unique in the retail industry you would be wrong. If you think for a minute that retailers care about real security and protecting you. You would be wrong again. Retailers are sloppy. They don’t care about you. What you have just read is fairly indicative of the issues that are plaguing the retail payment system. The industry is full of managers who are either unaware or don’t understand what is happening. So when those that do see the writing on the wall speak up they answer. “We sell hammers.” What they should be saying is, “We have hammers for brains!”

And the upper levels of management are looking at the bottom line and seeing that it is still cheaper to pay off claims rather than employ effective security. I have a funny feeling that Home Depot is about to learn a lesson here. 

Until we have a serious re-thinking of the way we secure our payment systems we are going to keep seeing this happen. New cards, new ways to pay including Apple Pay is what is needed to fully secure our money. And did I forget some more effective federal laws and standards to protect the consumer. Its a sad fact that we are wide open to these attacks because industry and government refuse to act. They like things just the way they are. Industry enjoys the protection of the courts who have ruled that unless you can prove actual damages the retail customer can’t sue the retailer who lost the data. They are saying, your data was compromised…and…

The U.S. government is willfully ignorant and reluctant to deal with this growing problem. I believe these data breaches threaten our economic future. Both in the areas of wealth, data and technology loss. We need to do something or we can just kiss it all goodbye.