Home Depot: Massive Breach Happened Via Third-Party Vendor Credentials

Home Depot has revealed more details about the extent of the data breach it suffered this summer, noting that 53 million email addresses were stolen along with the previously disclosed 56 million credit and debit card details. And, the goods were lifted from its network due to stolen credentials from a third-party vendor. 

Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network, the company said in a statement. These stolen credentials alone did not provide direct access to the company's point-of-sale devices, but the hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada.

Along with the payment card data, separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information, but phishing scams are a very real danger—suffice it to say that Home Depot shoppers shouldn’t click on any DIY-related links in unsolicited mails.

“Home Depot's recent disclosure that a stolen vendor password was used to gain access into Home Depot's systems…is yet another example that the biggest breaches are happening from the inside,” said Eric Chiu, president and co-founder of HyTrust, in an emailed comment. “Insider threats are not only the No. 1 cause of breaches, but also lead to the biggest damage; this is because once on the network, an outside attacker looks like any other employee and can take their time siphoning off data without being seen.”

Home Depot is of course the second major retailer to blame the supply chain for their breach. Target’s headline-grabbing data breach was started through compromised HVAC vendor credentials, showcasing poor network sequestration and vetting processes.

“The attacker is just going after access vectors that for whatever reason remain weak,” said TK Keanini, CTO at Lancope, in an email. “You can infer maybe that because the firm and consumers have increased their defenses, the attacker must pursue an alternate route. Supply chain is ripe and attractive because 1) it often has more access than it really should to the firm; and 2) the firm grinds down these suppliers’ margins so low that suppliers then cut costs by cutting security spending: It is going to get a lot worse before it gets better.”

What the Target and Home Depot breaches show us is that retailers need to tighten integration between inventory, teams and systems, according to Tom Bain, senior vice president of CounterTack—a not-easy task.

“Contributing to the ‘third party’ issues that retailers face is outdated software, as well as getting a better grasp of who is being granted shared access to the retailer’s networks,” he said. “There are just simply too many gaps along the entire supply chain. For example, if suppliers are using handheld devices to process orders, the wireless connection is at risk because encryption isn’t up to par or being used at all. There is little doubt that the transactional nature of the retail business makes it nearly impossible to monitor everything.”

What’s Hot on Infosecurity Magazine?