Home Depot’s data security was so bad that IT staff at the nationwide DIY chain recommended friends use cash rather than cards, according to damaging new allegations from former employees.
Interviews with several information security practitioners who used to work at the company appear to paint a picture of a company which paid scant regard to the security of customer data, according to a New York Times report.
Managers refused to take seriously the concerns of these former employees, relying on basic AV software from Symantec which dated back to 2007 and failing to conduct full vulnerability scans every quarter, as stipulated by PCI DSS requirements.
Instead, scans were done irregularly and often only at a small number of stores, the article claims.
Home Depot told the paper in response that PCI allows systems not connected to wider corporate networks to be exempt from scanning.
F-Secure security advisor cautioned that in any case, PCI is quite a low bar for a retailer to set its security standards by.
"The PCI DSS section 5.1.2 mandates 'periodic evaluations' of systems not 'commonly' affected by malware. It is no longer wise to worry only about systems that are thought to be commonly affected by malware (PCs) - all systems which handle customer data are a target," he told Infosecurity by email.
"PCI needs to do more to define standards for Point-of-Sale systems."
Home Depot's 2012 hiring of Ricky Joe Mitchell to oversee its security systems backfired dramatically when he was sentenced to four years in prison in April for disabling PCs at his former employer, EnerVest Operating, after it fired him.
In its defense, Home Depot hired data security firm Voltage Security to roll out “enhanced encryption of payment data” to all of its US stores – a project now completed. It will also complete a chip and PIN roll-out by the end of the year in the States.
However, these measures weren’t taken quickly enough to stop hackers breaking into its systems back in April, using “custom-built malware.”
That data breach, Home Depot admitted last week, exposed information on around 56 million cards, making it the biggest breach of its kind ever in the retail sector.
A statement from the company claimed that the “hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems.”
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” it added.