Security Awareness Training Blog

    Home Depot Hack Turns Into Criminal Negligence Scandal

    Home Depot Hack Turns Into Criminal Negligence ScandalWait for the class-actions lawsuits to get unleashed. The lawyers are going to be over this one like white on rice. Ex-employees from the Home Depot IT technology group are now claiming that management of the retailer had been warned for years that their Point Of Sale systems were open to attack and did not act on these warnings. Several members of the Home Depot IT security team quit their jobs in protest.

    It gets worse. In 2012, Home Depot management hired Ricky Joe Mitchell as their Senior IT security architect, apparently without doing their due diligence and background check. Turns out that Mitchell was fired from a company called EnerVest Operating where he sabotaged that
    company’s network for 30 days in an act of revenge.

    It gets even worse. Mitchell was kept on the job at Home Depot even after his indictment a year later and remained in charge Home Depot security until he finally pled guilty to federal charges Jan 2014.

    Wait, we're not done yet. Things are worse than _that_. The same ex-employees claim that Home Depot relied on antivirus that was not being updated with new antivirus definitions, a version of Symantec AV purchased in 2007.

    And here is the next epic fail. As we all know, to be PCI compliant, you need quarterly security scans, done by authorized third parties. However, vulnerability scans were only done irregularly, and most of the time only on a relatively small number of stores. A few IT security ex-employees said that their team was blocked from doing security audits on machines that handled customer data.

    And to add final insult to injury, in a total disregard for best practices, the Home Depot didn’t run any kind of behavioral network monitoring, which means they were not able to detect any breaches and for instance see unusual files being exfiltrated from the network.

    Now their PR team tried to paper over all this criminal negligence and claims that the company maintains "robust security systems",  and that the malware was custom made and hard to detect. Yeah, right. I see another CEO being fired in the near future...

    Looking at this type of negligent behavior, Home Depot must not have done a lot of security awareness training for their employees either. It is not sure yet how the hackers got in, but a website that was not sufficiently protected and allowed a SQL injection and a spear-phishing attack are the most likely attack vectors. 

    Don't let this happen to you and step your users through effective Kevin Mitnick security awareness training. Click on the button and find out how affordable this is for your organization.

    Get A Quote Now

     

     

    Return To KnowBe4 Security Blog

    Topics: Security Awareness Training, Cybercrime, Hacking

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe To Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews