As if it wasn't bad enough to lose 56 million credit card accounts, now Home Depot has to admit it also lost 53 million email addresses. This gives the bad guys a fabulous opportunity to go spear-phishing with a Home Depot theme. What an epic fail.
Home Depot warns its customers to be on guard against phishing scams. What they should do is give all these households a free security awareness training course for the whole family on top of the required one-year credit report monitoring.
Notable is that the hack followed the same pattern as Target where the bad guys came via a Pennsylvania-based refrigeration contractor’s electronic billing account.
Home Depot's Frank Blake, who retired as chief executive last month as scheduled, has conceded the company needs to place greater emphasis on data security. "If we rewind the tape, our security systems could have been better," Mr. Blake said in an interview last month. "Data security just wasn’t high enough in our mission statement."
No $#!+, Sherlock. Your internal IT security people were leaving the company and telling their friends and family to only pay cash at Home Depot.
The malware's entry point turned out to be a server at a store south of Miami. The hackers got into the vendor's systems last April by stealing a password, elevated their access by using a zero-day vulnerability in Windows, got admin rights and were then able to move throughout Home Depot’s systems in daytime hours and over to the company’s point-of-sale systems.
Next, they targeted 7,500 of the company’s self-checkout lanes because the registers’ reference names in the computer system clearly identified them as payment terminals. The hackers were able to stay undetected for five whole months. Obviously Home Depot was not running any breach detection software and were flying blind.
Looking at the fact that the stolen Home Depot data was offered on fairly exclusive Russian carder site Rescator where the Target data breach also was marketed, it looks like this is the same cyber mafia that got into Target.
Did the Russians fly over to Miami and dropped an infected USB drive on the doorstep of the vendor? Not likely. They just crafted a high-quality spear-phishing attack, and waltzed in the door like shooting phish in a barrel.
It is a good thing that despite the skeptics, security awareness training for employees is booming. Employee security awareness computer based training has been derided in the past, but new Gartner research suggests that a market of competitive, high-quality vendors are making security awareness a must-have.
Gartner wrote as the intro of their Magic Quadrant: "Employees' actions can detrimentally impact security and risk performance. CISOs and employee communication leaders are increasingly turning to educational security awareness solutions to help improve organizational compliance, expand security knowledge and change poor security behaviors."
Gartner research vice president Andrew Walls stated: "If you are not educating employees about your policies, there should be no expectation that they will follow them," said Walls. "Enterprises should consider it basic hygiene, just like having antimalware on desktops."
KnowBe4 made it in the list of the world's Top 20 players in the security awareness computer-based training, you can see the summary of the Gartner Magic Quadrant at their website.