Over 50 million home improvement enthusiasts may need to focus more on how-to fix their credit scores after Home Depot’s credit card data was stolen from its network. Reports, again, point directly to Russian hackers who allegedly posted customer’s account information as well as their addresses and zip codes to a black market dark site.
And along the way it became an unflattering tale of little fish takes big fish as the high-stakes caper left global security specialists baffled as to how the breach could have gone undetected for so long by one of the world’s major DIY retailers. Back in 2008, says the New York Times, a few IT employees had alerted senior executives that guppies were, in fact, circling the waters. But like most sharks, executives did not seem too concerned at the time; instead choosing to depend on antiquated antivirus software for protection.
In 2012, the big fish at Home Depot relied on a shady IT specialist, Ricky Joe Mitchell, who was later sent to federal prison for four years, says Forbes. Before landing the Home Depot job, Mitchell had gotten the axe for deactivating his former employer, the oil and gas giant EnerVest, system for approximately 30 days. Other Home Depot IT staff told Forbes that they saw the very sophisticated theft coming years ago. And they also told Forbes that they had been trying to get top executives to invest in “new software and training,” but were told: “We sell hammers.”
It wasn’t until after the 2013 Target breach when Home Depot’s chief executive, Frank Blake, hired some security experts to develop a game plan on how-to protect the home improvement chain from any potential threats, a former IT employee told the New York Times. Voltage Security, a California-based company, had not started implementing "the more secure system" until April 2014, says the New York Times.
By that time, the data breach was already underway. Several reports confirm that hackers had been penetrating the network for approximately five months. According to the New York Times, the launch of Home Depot’s “new encryption was not completed until last week”. It also was last week when Home Depot announced that they were investigating whether or not the network had been penetrated by hackers.
“Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers,” Home Depot Spokeswoman Paula Drake told the Huffington Post. “If we confirm that a breach has occurred, we will make sure customers are notified immediately.”
Home Depot also told the Huffington Post “that it is working with banks and law enforcement to investigate”. But blogger and cyber security expert Brian Krebs— who also told the world about the Target data theft as a former Washington Post reporter— had started writing about the breaking news story as early as September 2. According to Krebs, "multiple banks" had witnessed concrete proof that indicated hackers had swiped customer information from Home Depot. On the same day, Home Depot had posted the following message on its website:
“If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers.”
It was not until September 8 when Home Depot announced that the company had been hit by hackers. Three weeks later, Home Depot told reporters that all malware was removed from its network. In addition, the company told Forbes that “the malware used in the attack has not been seen in previous attacks, describing the malware as ‘unique’ and ‘custom-built’". The problem is, according to Forbes, is that Home Depot’s story did not add up.
And remember the company’s plans to implement a more secure system? Well, Voltage Security’s work has been completed and the new system has been added to all of the U.S. locations. According to Forbes, Home Depot also plans to install “CHIP and PIN technology” to additional locations. And while customers may not be able to count on getting the real truth, they can depend on yet another apology from the world’s sea of predators:
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” Frank Blake, Home Depot’s chairman and CEO, told the Huffington Post.
On September 23, Home Depot finally sent an e-mail to its customers; four weeks after their investigation, over five months after the cyber-attack started, and over almost seven years since their IT employees warned them of a potential attack (Full Disclosure: I am a Home Depot customer; so I received the e-mail too.).
According to Krebs, Russian and Ukrainian hackers are behind the attack. Customer’s information is posted on a website that has ties with the Lampeduza Republic, says the Huffington Post. In his latest blog post, Krebs explained how the credit cards were listed under “European sanctions” and “American sanctions.” According to Forbes, it was a clear sign that the attack was a revenge plot because of the Western sanctions on Russia for its recent actions against the Ukraine. Forbes added that the amount of data stolen makes the Home Depot attack the largest high-tech theft from a major retailer in history “even larger than Target’s 40 million card breach”.