Home Depot – Right on Target? Not Quite.

The Home Depot breach could have been much, much worse. And the emerging details surrounding the breach have taken on a theatrical air.

Similar Tactics, Different Haul

In many ways, the breach perpetrated on Home Depot rings familiar to watchers of the Target breach. Point-of-Sale, or POS, machines were compromised by a version of the same BlackPOS malware used to infiltrate Target. Unlike that breach this attack had time to get nestled in as hackers skimmed data undetected from April until September in 2,200 stores nationwide. Some 56 million cards were stolen over five months, making it the biggest breach to date.

So why wasn’t the number of cards compromised larger given the technique and the timeline? Target’s breach only lasted three weeks and 40 million cards were stolen. In Home Depot’s case, the hackers had installed the malware only on the self-serve checkout POS machines, restricting their intake of card data but likely helping to hide the theft in the first place.

The hack continued on unnoticed by Home Depot until, like Target, they were notified by an outside source in early September. Brian Krebs, of KrebsOnSecurity.com, reported that banks had identified Home Depot as the commonality in a massive batch of stolen credit and debit cards that had been released for sale on the black market.

The self-serve checkouts have since been dismantled and replaced (but there are reports that cards were still being scanned days after the announcement), the malware expunged from their system, and the company will have completed the industry-mandated transition to chip-and-pin machines by fall of 2014.

The Curveball

Investigations are still ongoing, but of interest is the parallel story developing alongside the breach.

There have been many anonymous sources coming forward with details of how Home Depot’s IT security was managed. Warnings that the system was vulnerable to attack went unheeded, that the antivirus software was over five years out of date, and that PCI Security Standards Council required audits were irregular and covered only a fraction of stores (and in some cases staff weren’t allowed to do them at all), suggest that Home Depot was primed to have something happen – it was just a matter of when.

At the top of it all was Home Depot’s senior IT security architect, hired before the breach and at the wheel throughout, Joe Mitchell – who was indicted in 2013 and found guilty this September of causing over a $1 million dollars worth of damage to his former employer EnerVest.

Having learned that he was about to be fired, Mitchell started on a streak of sabotage. Using remote-access, Mitchell reset servers to factory defaults, disabled backups and wiped data, phone system accounts, accounting data and applications for the eastern divisions. He then let himself back onto company property with still-active security credentials, disabling cooling systems for key equipment and manually disconnected networks. His tantrum earned him four years in federal prison.

But it shouldn’t have been a surprise to anyone that Mitchell was capable of that level of mayhem. A simple Google search turns up Mitchell’s youthful interest in writing and spreading viruses, infecting his high school network and harassing students that had turned him in, which lead to his suspension and eventual transfer to another school — events he bragged about online.

To be clear, there’s no indication that Mitchell was involved with the Home Depot hack. But his indictment in 2013 and reports of constant pushback and rebuffs of front-line IT staff regarding security measures, speaks to a level of corporate disinterest in information security. If not a hack by thieves using BlackPOS, Home Depot was sure to be breached sooner or later.

Whether it’s hackers that find a clever and unexpected way in, a lax or outdated security model, or even inside parties with legitimate access holding a grudge, a system can’t be guaranteed safe. But if you can take away the temptation, make those credentials useless because they are instantly flagged elsewhere when used without a biometric key? You’ve not just made yourself more secure, you’ve taken the reason to steal them in the first place.