Home Depot ignored security warnings for years, employees say

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/

Former information technology employees at Home Depot claim that the
retailer’s management had been warned for years that its retail systems
were vulnerable to attack, according to a report by The New York Times.
Resistance to advice on fixing systems reportedly led several members of
Home Depot’s computer security team to quit, and one who remained warned
friends to use cash when shopping at the retailer’s stores.

In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security
architect. Mitchell got the job after being fired from EnerVest Operating
in Charleston, West Virginia—and he sabotaged that company’s network in an
act of revenge, taking the company offline for 30 days. Mitchell retained
his position at Home Depot even after his indictment a year later and
remained in charge of Home Depot’s security until he pled guilty to federal
charges in January of 2014.

The Home Depot breach, which reportedly began in April of 2014 and went
undetected until earlier this month, exposed an estimated 56 million credit
card numbers. Home Depot spokesperson Stephen Holmes told The New York
Times that the company maintains “robust security systems.” Home Depot
officials have said that the malware used in the attack, BlackPOS, had not
been seen before and would have been difficult to detect with its security
scans.

However, former employees contend that the company relied on out of date
antivirus software—a version of Symantec’s antivirus purchased in 2007. And
the company didn’t perform network behavior monitoring, so they would not
have detected unusual network traffic coming from point-of-sale systems.

The Payment Card Industry (PCI) Security Standards Council requires
security scans at least once a quarter, and third-party security audits.
But according to the Times’ sources, vulnerability scans were conducted
irregularly, and usually only on a small number of stores. Two former Home
Depot IT employees said that the security team was kept from checking a
number of systems handling customer data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!