Home Depot called slow to act

Warned retailer of hack risks since 2008, ex-workers say

FILE - In this file photo made Oct. 6, 2009, employee John Abou Nasr pushes shopping carts in the parking lot of a Home Depot in Methuen, Mass. Home Depot’s data breach could wind up being among the largest ever for a retailer, but that may not matter to its millions of customers. (AP Photo/Elise Amendola, File)
FILE - In this file photo made Oct. 6, 2009, employee John Abou Nasr pushes shopping carts in the parking lot of a Home Depot in Methuen, Mass. Home Depot’s data breach could wind up being among the largest ever for a retailer, but that may not matter to its millions of customers. (AP Photo/Elise Amendola, File)

The risks were clear to computer experts inside Home Depot: The home-improvement chain, they warned for years, might be easy prey for hackers.

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, former employees said. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers' credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

Yet long before the attack came to light this month, Home Depot's handling of its computer security was a record of missteps, the former employees said. Interviews with former members of the company's cybersecurity team -- who spoke on the condition they not be named because they still work in the industry -- suggest that the company was slow to respond to early threats and only belatedly took action.

In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company's stores.

Then, in 2012, Home Depot hired a computer engineer to help oversee security at its 2,200 stores. But this year, as hacks struck other retailers, that engineer was sentenced to four years in prison for deliberately disabling the computers at the company where he previously worked.

Company officials said the malware used against Home Depot had not been seen before and would have been difficult to detect. Home Depot said Thursday that it had patched any holes and that it is now safe for customers to shop there.

Any card used there between April and Sept. 2 might be vulnerable to being used fraudulently. Stephen Holmes, a Home Depot spokesman, said the company improved its security this year by encrypting register systems and switching to a new smart-chip-based payment standard.

"Our guiding principle is to do what's right by our customers," Holmes said. The company maintains "robust security systems," he said.

Thefts like the one that hit Home Depot -- and an ever-growing list of merchants including Albertsons, UPS, Goodwill Industries and Neiman Marcus -- are the "new normal," security experts have said. These people say retailers have not only been complacent about security, they have also been reluctant to share information with one another.

Government officials estimate that as many as 1,000 retailers have been infiltrated by variations of the malware that first struck another big retailer, Target, late last year, and then Home Depot this year. They say many companies do not even know they have been breached.

"This is happening to so many companies now, it is getting hard to keep track," said Paul Kocher, the founder and chief scientist at the Cryptography Research division of Rambus.

Still, security experts were flabbergasted that Home Depot, one of the world's largest retailing companies, was caught so flat-footed after the breach at Target, which resulted in the theft of more than 40 million cards before Christmas last year.

After the Target theft, Home Depot's chief executive, Frank Blake, assembled a team to determine how to protect the company's network from a similar attack, said one person briefed on the project. By April, the company started introducing in some of its stores enhanced encryption that scrambled payment information the moment a credit card was swiped.

But criminals were already deep in Home Depot's systems. By the time the company learned Sept. 2 from banks and law enforcement that it had been breached, hackers had been stealing millions of customers' card information, unnoticed for months. The rollout of the company's new encryption was not completed until earlier this month.

Also, the company performed vulnerability scans irregularly on the dozen or so computer systems inside its stores and often scanned only a small number of stores.

Credit card industry security rules require large retailers like Home Depot to conduct such scans at least once a quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members' data security programs.

And yet, two former employees said, while Home Depot data centers in Austin, Texas, and Atlanta were scanned, more than a dozen systems handling customer information were not assessed and were off-limits to much of the security staff.

A spokesman for the Payment Card Industry Council in Wakefield, Mass., declined to comment on Home Depot specifically.

Several former Home Depot employees said they were not surprised that the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: "We sell hammers."

A Section on 09/21/2014

Upcoming Events