Home Depot Hacked After Months of Security Warnings

A breach at the home improvement retailer followed months of warnings

For a retailer with 2,266 stores and $79 billion in annual revenue, buying software to protect against hackers is a good idea. Using the software is a better one. In the year before cybercriminals penetrated payment systems of Home Depot stores in the U.S. and Canada, the retailer suffered at least two smaller hacks, according to internal company e-mails and reports. Afterward, Home Depot security contractors urged the company to strengthen its cyberdefenses by activating a key, unused feature of its security software that the internal documents say would have added a layer of protection to the retail terminals where customers swipe their cards.

Home Depot confirmed a breach on Sept. 8, almost a week after credit card data linked to its customers went up for sale on black-market website Rescator.cc.

The hack put as many as 56 million cards at risk—more than the the 40 million affected by last year’s breach at Target, Home Depot said today.

The home-improvement chain expects to pay about $62 million this year to recover from the incursion, including costs for call-center staffing and legal expenses. Insurance will cover $27 million of that cost, the company said.

Internal Home Depot documents show the Atlanta-based retailer had chosen to keep the extra security measure deactivated even though it was designed specifically to spot the kind of malicious software that attacks systems’ endpoints, like the registers that were hit at Target, Michaels, Neiman Marcus, and others.

While few details have emerged about the Home Depot breach—and it’s not clear that the deactivated safeguard would have stopped it—a person familiar with the investigation says the attack did hit the stores’ registers.

The hackers used custom-made software to evade detection, relying on tools that hadn’t been used in previous attacks, Home Depot said today in a statement. The malicious software, which “is believed to have been present between April and September 2014,” has now been removed from the company’s systems, according to the statement.

Home Depot has said its system breach may have begun as early as April. Three people familiar with the company’s cybersecurity at least through April, who aren’t authorized to discuss it publicly, say the retailer hadn’t made the suggested improvements by then.

“As our partners make recommendations, they’re processed, sorted, and executed based on the best solutions at hand and, ultimately, what’s in the best interests of our customers,” says Home Depot spokesman Stephen Holmes, declining to comment further.

It’s unclear why Home Depot resisted activating the intrusion prevention feature in its software suite, a Symantec product called Endpoint Protection. The internal documents suggest the program sometimes generated false positives. Two information security managers who previously worked for Home Depot say their supervisor told them to minimize costs and system downtime at the expense of improving security. They and three other former employees, who requested anonymity because they fear retribution, say the information security department has struggled with employee turnover and old software for about three years.

Security consultants urged Home Depot several times from August 2013 to February 2014 to turn on an Endpoint Protection feature, the internal documents say. According to an Oct. 1, 2013, report prepared for Home Depot by consultant FishNet Security, the retailer left its computers vulnerable by switching off Symantec’s Network Threat Protection (NTP) firewall in favor of one packaged with Windows. “It is highly advised and recommended the NTP Firewall component be deployed and that Windows Firewall be discontinued,” the report states. For intrusion prevention to work properly, it says, NTP was needed on all Home Depot computers, including register payment terminals. Instead, the company kept the protection off its registers and continued to scan for suspicious activities at the network level, say the internal documents. FishNet declined to comment.

Although it isn’t clear if intrusion detection at the register level would have prevented the breach, experts say it could have significantly raised chances of detecting the malware. “Simple tactics go a long way, like keeping track that something new is running,” says Josh Grunzweig, a malware researcher at data analyst Nuix. “I’d argue that would catch 95 percent of this stuff.”

Home Depot didn’t previously encrypt the customer card data on its registers and computers inside its stores, say three of the company’s former information security managers who still keep tabs on the operation. Today, the company announced that as of Sept. 13, it had completed “a major security project” that will provide enhanced encryption in its U.S. stores. The encryption project will be finished in Canadian stores by early 2015, the company said.

The two smaller incidents last year demonstrated that the retailer’s registers could be vulnerable. On July 25, 2013, a data-stealing virus at a Home Depot in Denton, Texas, spread to at least eight of the store’s registers, according to an internal e-mail. In December, a store in Columbia, Md., was found to be infected with “Infostealer,” malware known for lifting credit card data. It wasn’t clear in either case whether customer cards were compromised.

In February, Home Depot asked FishNet to investigate its exposure to a previously unknown vulnerability in Adobe’s Flash player. In a Feb. 13 report, FishNet again urged the retailer to deploy NTP and intrusion prevention to strengthen its defenses. That hadn’t happened as of April, say the three people familiar with Home Depot’s security.

The former information security managers say that executives, including information security supervisor Jeff Mitchell, rebuffed efforts to bolster cyberdefenses. Two of the managers, who left the company in 2011 and 2012, both say Mitchell told them to settle for “C-level security” because more ambitious measures would be expensive and might disrupt critical systems. These priorities frustrated workers in the information security department, leading in the past three years to dozens of departures from a team of fewer than 50, the former managers say. Mitchell didn’t respond to requests for comment.

The former managers say Home Depot was also using out-of-date antivirus software in its stores. In April it was still using Symantec’s Endpoint Protection 11, first released in 2007. Symantec unveiled version 12 in 2011, saying in a news release that the “threat landscape has changed significantly” and that the newer product would protect against the “explosion in malware scope and complexity.” Symantec declined to comment.

Home Depot planned to move to Endpoint Protection 12 but hadn’t made the transition by the time the breach is thought to have started, say the three people familiar with the company’s security. Home Depot declined to say whether the upgrade is now under way. This year, Symantec began phasing out customer support for the older version. All support will end on Jan. 5, according to the software company’s website. It bluntly states: “This is the end of the product life cycle.”