Home Depot’s in-store payment system wasn’t set up to encrypt customers’ credit- and debit-card data, a gap in its defenses that gave potential hackers a wider window to exploit, according to interviews with former members of the retailer’s security team.
It’s unclear whether that vulnerability contributed to the hack that Home Depot announced on Sept. 8. Yet five former staffers describe a work environment in which employee turnover, outdated software, and a stated preference for “C-level security” (as opposed to A-level or B-level) hampered the team’s effectiveness. The former workers, including three managers, asked that their names not be used because they fear retribution from their former employer; some now work for companies that perform security functions for Home Depot.
Although the company this year purchased a tool that would encrypt customer-payment data at the cash register, two of the former managers say current Home Depot staffers have told them that the installation isn’t complete.
“We’re continually working to enhance our IT security to protect customer data, and we’ve taken aggressive steps to address the malware in this breach,” says Paula Drake, a Home Depot spokeswoman. “It wouldn’t be appropriate for us to comment on such rumors and speculation in the midst of our investigation.”
A “health check” on Home Depot’s information systems, which was performed by Symantec employees two months ago, identified out-of-date malware-detection systems, according to one former manager. Hackers may by then have been rifling through the company’s computer data. Home Depot has said that the hack may have begun as early as April and has the potential to compromise customers who used credit cards or debit cards at 2,155 stores in the U.S. and Canada.
The former information security managers say that when they attempted to make improvements to Home Depot’s security systems, they were at times turned down by its technology executives, including information security chief Jeff Mitchell. Two former managers, who left the company in 2011 and in 2012, said Mitchell told them to settle for “C-level security” because ambitious upgrades would be costly and might disrupt the operation of critical business systems. This management style frustrated a number of workers in Home Depot’s information security department, leading to dozens of departures from a team of fewer than 50 over the past three years, according to the former managers. Drake didn’t respond to a request for an interview with Mitchell, and Mitchell didn’t respond to a telephone message left at his office.
High turnover in information security departments can be costly because of the training that’s required for such positions, says Anup Ghosh, chief executive officer of Invincea, a security company in Fairfax, Va.
“Every time you have turnover, you’re training the next person and losing the institutional knowledge of people there,” Ghosh says.
The former managers say they were troubled by the lack of encryption for credit-card data at Home Depot stores. Data were sent from the stores to central servers in clear text, according to two of the former managers. This year, they say, Home Depot purchased a tool from Voltage Security to encrypt the card data, but the system hasn’t yet been implemented. Paula Brici, a spokeswoman for Voltage, declined to comment.
Three former information security managers also say that Home Depot was using out-of-date antivirus software for its point-of-sales systems. The program, Symantec’s Endpoint Protection 11, was released in 2007. Symantec unveiled version 12 in 2011, saying in a news release that the “threat landscape has changed significantly” and that the newer product would protect against the “explosion in malware scope and complexity.” Kristen Batch, a spokeswoman for Symantec, declined to comment.
Home Depot stayed with Endpoint Protection 11, despite staffers’ pleas to executives, former managers say. Symantec this year began phasing out customer support for the older version. All such support will end on Jan. 5, 2015, according to a page on the software company’s website, which bluntly states: “This is the end of the product life cycle.”