Saturday, September 20, 2014

Ex-employees warned Home Depot for years on security breach

Last week, Home Depot confirmed that its payment security systems had been hacked, impacting all of Home Depots 2,200 stores in the United States, and possibly Canada.  The Home Depot computers were apparently hit by a variation of the same maleware program which breached Target's computers last year. 

Today, there is this interesting story that came from the New York Times:
The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers.
But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.
Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said. Interviews with former members of the company’s cyber security team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.

In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.
Then, in 2012, Home Depot hired a computer engineer to help oversee security at its 2,200 stores. But this year, as hacks struck other retailers, that engineer was sentenced to four years in prison for deliberately disabling computers at the company where he previously worked.
What disturbs me about this NY Times story is the cavalier attitude Home Depot has in regards towards providing such computer security.  Home Depot's managers knew since 2008 that their systems were vulnerable to hackers, yet they did nothing.  Home Depot continued to rely on outdated scanning software, conducted irregular scans on their computer systems,   and even hired a computer security engineer who was convicted of disabling computers from his previous employer. Stephen Holmes, a Home Depot spokesman, said that the company is moving towards improving computer security through an encryption register system, and switching over to a new payment system based on smart-chip cards for all Home Depot Stores.  Holmes claims that Home Depot maintains "robust security systems," and that "Our guiding principle is to do what's right by our customers." 

And yet, according to the NY Times:
Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”
What we have here are Home Depot upper-level managers who are completely clueless on computer systems and security.  These managers could have been MBAs, with specialization in bean counting.  They know exactly how many hammers Home Depot has sold, and how much they could save money by cutting  back from employee payrolls, computer software and hardware purchases, or even not running background checks on a security engineer's potential hiring.  These are managers that are concerned with short-term profits, rather than long-term investment in technology infrastructure to secure Home Depot's computer data.  Technology and software infrastructure is expensive and difficult to replace, implement, and train computer professionals to run and monitor the system--you are not going to get your return on such an investment by the next quarter.   The cost on Home Depot's failure to maintain their computerized security systems only becomes clear after the hackers have breached the system, and possibly stole the customer data. It is all about short-term profit and corporate greed.

Then again, I wonder how much Home Depot will pay for the cost of this security breach?

No comments: