The Truth About Home Depot’s Security Breach: Hacking Was Easy… But Why?

Here’s the thing about breaking into a multi-billion-dollar company and stealing the credit card information of millions of customers: It’s just not that hard.

Eight months after a security breach brought scorn on Target and resulted in the resignation of its CEO, Home Depot was the victim of a nearly identical attack.

Andrew Avanessian, vice president of professional services at security firm named Avecto, confirmed that the hackers didn’t actually do anything clever, when speaking about the Target security breach, which compromised the information of millions of customers after malware infected the point-of-sale systems that process credit card swipes. Security reporter Brian Krebs reported that a similar piece of malware is to blame in the Home Depot attack, indicating that it could even be the same group responsible for the Target breach.

Although some experts such as Avanessian believe that the hackers are always “one step ahead”, the truth is that the majority of these hacks can be avoided.

Most software, before it is delivered to the general public, typically goes through two levels of testing; namely “Alpha” (or stage 1) and “Beta” (or stage 2) testing.  What the average software user does not know, is that there is a third testing phase that occurs after the software hits the shelves, and the consumer is the proverbial guinea pig.  This is because, to develop most major software applications, or operating systems, and test them to perfection would not be practically doable within an affordable timeframe.  Using this method of testing also opens up the market to newer and better versions of the same software, which in turn funds the developer’s research and development to actively improve and secure the software.  Most improvements are delivered in one of two ways: via updates, or in the form of a new version of the software.

The average consumer typically waits about 60 days before they update most software on their computer; including their operating system (like Windows or Mac OS) which is a core software component for any computer or similar device.  That’s 60 days for hackers to hit these machines.  While most big businesses are usually on top of their updates, leaving no more than a 2 to 5 day window (which is it typically not long enough for a hacker to exploit any security flaw in the application) they are not as quick to follow through with the second method of keeping systems secure; namely updating to the latest version of an application or operating system.

One real-life example, deals with one major retail chain  (Let’s call them “Acme” for safety’s sake.)  Microsoft discontinued support of its Windows XP operating system on April 8th, 2014, yet Acme only started to implement the move from Windows XP to Windows 7 on their point-of-sale and back-office systems during the first half of September 2014 in Canada.  That’s about five months for hackers to develop a way to hack their front-line systems!  It is no wonder that these hacks take place.  The problem is not with the software developer in this case however, as these notifications are made public several months ahead.  The problem lies in one of, or a combination of any of the following 3 factors:

  • A company’s finances for these large-scale upgrade projects.
  • Company red tape and paperwork which slow theses large-scale projects down.
  • A lack of proper timing or due diligence on the part of the company’s IT Infrastructure department and its higher-ups.

Large companies like Home Depot and Target do have it tough though, as most people handling the registers are not technical experts.  Combine that with the factors I mentioned before, and most large company IT frontline security employees have their work cut out for them.  Whether Home Depot and Target fell under the same situation as Acme, however, I really do not know, but to be attacked by malware can only present the possibility that it might have been the case, or the problem occurred due to an unwary frontline employee’s actions.

Still, with proper management, due dilligence, and the proper tools, most large companies can still avoid these types of hacks, as malware is more typically engineered to hit known secuirty problems in a particular application or operating system.  Trimac Transportation is a prime example of a large business with a well run internal IT department that manages to keep itself ahead of hackers, if not leave them in the dust completely.  This is all due to their good management, due dilligence, and the tools they use to get the job done right.

IT security staff are the unsung heros in regards to a company’s information security.  When properly run, a good IT department can mean the difference between company security and being hacked; both potentially having a dramatic effect on customer confidence.  Any good business needs to realize this when operating.  I really don’t have to say much in this situation, as history speaks for itself.

“Those who cannot remember the past are condemned to repeat it.”
– George Santayana


Comments are closed.