back to article Home Depot ignored staff warnings of security fail laundry list

Home Depot is facing claims it ignored security warnings from staff, who say prior to its loss of 56 million credit cards, it failed to update anti virus since 2007, did not consistently monitor its network for signs of attack, and failed to properly audit its eventually-hacked payment terminals. The fixer-upper retail giant …

  1. Anonymous Coward
    Anonymous Coward

    I repeat my comment from the last article on this subject:

    And this is why we will always have this sort of problem. Companies, generally just don't want to spend money for security proactively.

    1. Anonymous Coward
      Anonymous Coward

      Re: I repeat my comment from the last article on this subject:

      It's an interesting twist that the security bods have taken a pre-emptive strike and laid blame on the management for preventing them doing their jobs.

      It's not going to be so easy for them to close rank now the mess has been put all on them.

      1. Anonymous Coward
        Anonymous Coward

        Re: I repeat my comment from the last article on this subject:

        Yeah, it is going to be easy for them to close ranks because that's absolutely true. It goes all the way up to the VP level. Sr. Director of IT Security Jeff Mitchell (no relation to the felon), the defacto CISO of the company, is the one who told us that "we sell hammers." The security staff had been on him and everybody we could get our hands on almost every day to fix their shit. Obviously nobody listened.

      2. chris lively

        Re: I repeat my comment from the last article on this subject:

        No. That's just how the blame game works.

        An interesting twist would have been those same "security bods" going to media outlets, twitter, etc to tell the world how HomeDepot was a ticking time bomb and was not interested in fixing it.

    2. David Kelly 2

      Re: I repeat my comment from the last article on this subject:

      I don't see any excuse for processing financial transactions on an OS which requires "antivirus" scanners. Should not be using a general purpose OS for a cash register.

    3. Rampant Spaniel

      Re: I repeat my comment from the last article on this subject:

      I would like to see any legal action resulting in the removal of the executives who made the decisions rather than just a fine which will likely result in front line staff (who weren't at fault for the breach) being fired to 'make economies'.

  2. Captain DaFt

    In other words:

    'Executives reportedly told pleading staff that "we sell hammers".'

    "We don't understand or care about all that 'security' jibber-jabber, so how important can it be?

    1. Anonymous Coward
      Anonymous Coward

      Re: In other words:

      "We don't understand or care about all that 'security' jibber-jabber, so how important can it be?"

      Well, in 2012 Home Depot's CIO, one Matt Carey, was paid around $3.5m, comfortably making the top ten of highest paid CIOs according to WSJ. I would suggest that the company and its owners were paying for a premium IT service, and if anybody is to blame for this it is is not reluctant chief execs or sales directors, it is the Home Deport CIO and his team.

      It is the CIO's job to articulate the costs and risks and technical threats that face the firm, to place that in clear, easy to understand language for non-IT literate managers, to be situationally aware and to prioritise threats, and to shepherd the board to make the right decisions. That's what the "C" means on his job title, and that's why he's paid millions. Too bad the boy wasn't up to it. It is possible to blame the board's audit, nominations and leadership development comittees, for Carey's appointment, continued employment, and the failures of audit that are implicit. These committees are entirely composed of Home Depot's non-executives (who on their performance here might be judged to be the same ineffectual "gentlemen's club" rent-a-non-exec types found the world over).

      I believe Carey is still in post, and he's been CIO since 2008, so the buck stops with him and his team. In my humble opinion he and selected senior managers should be fired immediately with prejudice and without compensation, and the non-execs should be cleared out like the contents of the Augean stables.

      1. Byham

        Re: In other words:

        It would be a salutory lesson if the card issuers withdrew the capability for Home Depot to use their cards. Until there is really hard action like this then the 'we sell hammers' brigade will continue letting their customers down. Yes the CIO is responsible but the CEO needs to know that what the CIO is doing or not doing is potentially a company killer, that way they won't sit with glazed over eyes waiting for coffee during a briefing from the CIO.

      2. Fatman
        Joke

        Re: senior managers should be fired immediately

        Nah!!!

        If they would have done this at my company. they would have been launched on a new career trajectory from the Trebuchet on the roof. The prized landing spot (at least in the common man's POV) is the cactus patch about 150 feet away.

        1. Anonymous Coward
          Anonymous Coward

          Re: senior managers should be fired immediately

          They won't be. Marketing boneheads look out for one another. Rarely in IT do we see executives suffer the consequences of their asinine IT decisions.

  3. Anonymous Coward
    Anonymous Coward

    Executives reportedly told pleading staff that "we sell hammers".

    Yes, the very hammers you will now be bludgeoned with by irate customers and security staff.

  4. channel extended

    We sell hammers.

    And now they will be hammered by the cost.

  5. Nym

    I once didn't protect gamer accounts ("only..."). I also have a bunch of accounts that got hacked and places where I couldn't game again using the same e-mail address. No, I don't break the cardinal rule; I use singular passwords. Sure, that means one letter or less--or else one per site, and complicated.

  6. Anonymous Coward
    Anonymous Coward

    Get a proofreader.

    What is this? "consistency monitor"? "basic adequate scans"? "require regularly third party audits"? "could resulting $3 billion in fraud"? You've had 2 days to write this story, Darren. The least you could do was to proofread it.

    1. Michael Thibault

      Re: Get a proofreader.

      "We sell eyeballs"?

    2. BryceP

      Re: Get a proofreader.

      That's not really an issue with individual authors on el Reg, more an issue with the editors. A long-standing one at that.

      Of course, it's hardly deal-breaking, just pretend it's cheeky homage to the Grauniad.

      1. Destroy All Monsters Silver badge

        Re: Get a proofreader.

        The Wifi connection from the pub downstairs will now be taken away!

      2. Primus Secundus Tertius

        Re: Get a proofreader.

        @BryceP

        As far as I can see, the Torygraph relies on voice recognition to turn reporters' phone calls into printed stories, with no sub-editing. The results are dire.

        I am no friend of the Graun, but let's be fair.

    3. TheDoc

      Re: Get a proofreader.

      ...and a spell checker. Unless "unvelievably" is now a word?

    4. Crisp

      Re: Get a proofreader.

      It's still a level of journalism above a Daily Mail article. Have you seen some of the stuff they publish? It's tough to find an article there that doesn't have spelling and grammar mistakes.

      1. James 139

        Re: Get a proofreader.

        The BBC news website is often just as bad.

        Incorrect words, inaccurate numbers and even duplicate words.

        They also appear to have mislaid their thesaurus, as every event they report on apparently "triggers" something else.

    5. Tony Haines

      Re: Get a proofreader.

      It's unvelievable!

      1. TheRealRoland

        Re: Get a proofreader.

        >It's unvelievable!

        It's literally unvelievable!

  7. Mark 85

    The hammers are hitting the fan.. or are about to.

    There's a whole lot of things we're not being told. Did the CIO know? Or didn't the warnings get that high? Were the warnings in ExecSpeak instead of TechSpeak? Is there a paper trail? Otherwise some middle IT manager is about to have a world of corporate hurt rain down on him.

    And yeah... profits are the bottom line and holding costs down. If the execs can deny it, like I said, some middle-level guy is about to get hammered.

    The Catch-22 to all this is that there is a built in scapegoat. Ricky Joe, convicted felon, working in security.

    1. Anonymous Coward
      Anonymous Coward

      Re: The hammers are hitting the fan.. or are about to.

      "Did the CIO know? Or didn't the warnings get that high?"

      Doesn't matter. It is the CIO's job to know, to make sure he's got people with their ears to the ground, and who in turn listen to their juniors. So if he did know he's at fault for not fixing it, if he didn't know then he's at fault for both not knowing and not fixing it. If his staff did it wantonly, then he's on the hook for hiring them and not supervising them.... there is no way out.

      In corporate gibberish, the CIO is both "responsible" and "accountable", which means there's no place to hide.

      1. paulc

        Re: The hammers are hitting the fan.. or are about to.

        you can bet your bottom dollar that if there was the possibility of being dragged through court and being jailed for these things, they'd pretty quickly set up a system of working practices that protected them like Supermarkets do with age checks on sales of drinks and cigarettes...

        Documentary evidence of procedures and evidence of those procedures being followed so that they can hang someone out to dry for not following them...

        1. Anonymous Coward
          Anonymous Coward

          Re: The hammers are hitting the fan.. or are about to.

          I thought the hammers were a team that played at Upton Park.

      2. Pascal Monett Silver badge
        Coat

        @Ledswinger

        What is this "accountability" that you refer to ?

        I understand "responsible", it means a CxO gets a big paycheck. But "accountable" ? Nobody has ever held a CxO accountable for anything since before Y2K.

        As for the "there is no way out", that is plain wishful thinking. Of course there is a way out : it's called a Golden Parachute.

        I will now hang back up my cynical hat and retire for the evening with a glass of single malt.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Ledswinger

          "Nobody has ever held a CxO accountable for anything since before Y2K."

          Tell that to Beth Jacobs, who left Target in disgrace after their data breach. And a rather dated, but still interesting link:

          http://www.cio.com/article/2430152/cio-role/one-in-four-cios-fired-for-performance.html

          With "no way out" I simply meant "no way of avoiding the blame". But I take your point that once you get to the boardroom, rewards for success are accompanied by rewards for mediocrity and for failure.

          And of course, if that's a single malt you're poised to enjoy, it's just as well to hang up your cynical hat since this will avoid coming to the conclusion that you're drinking a mere ingredient of what might otherwise have been an enjoyable blend.

    2. Anonymous Coward
      Anonymous Coward

      Re: The hammers are hitting the fan.. or are about to.

      Or maybe Ricky Joe just told some cell-mates just how easy it would be.... to avoid being passed around.

      Regardless, the C-people running the hammer store should really be tarred and feathered, assuming half of these stories are true. I have a sinking feeling that the stories are true.

    3. chris lively

      Re: The hammers are hitting the fan.. or are about to.

      "Did the CIO know?"

      It's the CIO's job to know about things like this. Specifically he should know who his company has contracts with, what they cost, etc. If he didn't then he is too dumb to continue in a job at that level. If he did, but did nothing about it, then he is too dumb to continue in a job at that level....

      Point is: Incompetence indicated either way so his head should roll.

  8. Notas Badoff

    The way to characterize it...

    Home Depot couldn't fix their own broken front door.

  9. Aslan

    FIX: No permission to accept cards for 30 days

    I propose a business which has a breach resulting in the theft of one million cards or more receive a ban on acceptance of cards, credit or debit, for 30 days. Lesser numbers of cards would result in a lesser ban. This would guarantee the security of card processing by making a breach to horrible to even contemplate for a business vs the current standard of issue an apology, blame hackers and pay extra money to the advertisers.

    1. John Smith 19 Gold badge
      Unhappy

      Re: FIX: No permission to accept cards for 30 days

      "I propose a business which has a breach resulting in the theft of one million cards or more receive a ban on acceptance of cards, credit or debit, for 30 days. Lesser numbers of cards would result in a lesser ban. T"

      Personally I like this. Butlikely to make businesses even less likely report a breach.

      1. Tom 13

        Re: Butlikely to make businesses even less likely report

        Easy enough to fix. If you fail to report a breach and the breach is discovered through other means, you permanently lose the ability to process cards.

    2. Duncan Macdonald
      Mushroom

      Re: FIX: No permission to accept cards for 30 days - 30 YEARS

      30 years - not 30 days - make the penalty so bad that firms are FORCED to have good security or go out of business.

      1. Anonymous Coward
        Anonymous Coward

        Re: FIX: No permission to accept cards for 30 days - 30 YEARS

        "make the penalty so bad that firms are FORCED to have good security or go out of business"

        Nope. That means that the firm takes the hit not the management. If the firm goes down, well qualified experienced managers will quickly find another job even if they were at fault. It's easy when a firm collapses to ensure any personal blame is hidden.

        But who does take the hit if the firm goes down: ordinary employees, suppliers and unsecured creditors, and the owners, who are mostly secondary market passive stock investors like pension funds, insurers and the like. Is that a good outcome?

        A partial solution is to make directors and officers personally liable for data security, including a change to the law to make them liable for breaches, and to impose a duty of responsibility to know what the security status of the firm is (ie close off the "we didn't know" excuse). A bit of jail time would be far more of a deterrent than a corporate penalty, particularly after a few golf club friends have been hauled off to the big house.

        1. Anonymous Coward
          Anonymous Coward

          @Ledswinger

          So you want a Sarabes Oxley type law for data protection?

  10. Mk4

    Security dept. is there to serve the business

    This might be a somewhat unpopular opinion but at the end of it all, it's a business decision. I agree with Mark 85 - there is going to be a political fight over who to blame and if there isn't a solid paper trail showing the security department made all the right noises (and it sounds like they did) the blame can be laid on some security staff (right or wrong).

    It's time security folks joined the rest of the IT world in a thorough understanding that they need to justify what they do. Simply telling businesses "you need to spend this money to get this new thing" will never elicit the desired response from a security perspective. I remember mainframe and VMS operators about 15 years ago tellling businesses they "needed another million" and being surprised to be asked why. Ho hum, the wheel turns.

    1. Robert Helpmann??
      Childcatcher

      Re: Security dept. is there to serve the business

      It's time security folks joined the rest of the IT world in a thorough understanding that they need to justify what they do.

      I'm not sure which world you live in, but what I have seen is not so much in the explanation or understanding of the requests, but in management's caring. It is easy to explain something in terms of "If you do this, you will add this amount to the bottom line." It is fairly easy to explain things in terms of "If you do this, we can cut costs in these areas." What is harder to get someone to sign off on is, "If we spend this money, the odds are good we will avoid losing more later." This last is what security budgets seem to translate to in Managerspeak. Add some regulatory teeth to the equation and you might have something along the lines of "Invest this amount now or you will end up paying this much larger amount later" which would result in better implementation of security standards.

      1. Mk4

        Re: Security dept. is there to serve the business

        Yes, additional laws or other regulation is one option that can be used to get businesses to meet a higher level of security. But the drawbacks are it's a pretty blunt instrument (you have to find a law that can be applied to all companies) and there needs to be a check for compliance. That last point on checks on compliance is a very significant one - it looks like PCI DSS rules were not complied with in this case and it seems over a number of years. But this was not detected, so we can deduce that no-one checked properly or perhaps at all. That's a pretty damning inditement of the credit industry, and illustrates that laws and regulations are not going to help if there is no effective enforcement.

        Businesses understand risk - they take risks all the time. The risk to the corporate reputation seems to have been realised in this case and there was an attempt to take action, which was too late. To me that looks like the risk became very obvious to the leadership, but at too late a stage. Making the business risks clear to management early on is the right way to go and if the business decision is to do nothing then it's a business risk the management have decided to take.

  11. Elmer Phud

    Standard procedure

    " it failed to update anti virus since 2007,"

    So, they didn't pay for McAfee once the free version with the new machine had run out?

  12. Henry Wertz 1 Gold badge

    CIOs fault -- yes but for a different reason

    Is it the CIO's fault? Well, yes, but not for the reason suggested.

    I have to disagree with Ledswinger's assertion that it is automatically the CIO's failure to articulate costs and so on that led to this problem. Some people, you can articulate the need for something to be done as eloquently, definitively, and assertively as you want, they just will not listen. Maybe he didn't make his case, maybe the executives just didn't listen.

    On the other hand, why should tills have internet access? The couple setups I've dug into, against any sanity and good judgement the registers are running Windows (this is enough by itself to make me only pay cash!), but anything on the "cash register" network segment can ONLY contact a single computer, not to the public internet -- if a till were hypothetically hacked it could never phone home. Forget virus scanners and whatever, this is where the CIO's going to run into problems -- why was the network at each location set up so incompetently? If the tills connect to a "back of house" server to do all transactions, they should not be able to reach the internet at all, and the back of house should be behind a firewall that only lets it connect to the card processor and whatever Home Depot machines it needs to connect to to record sales transactions. If the tills do this themselves, then they should be similarly restricted. The fact that this information could get out at all means they were not doing this.

    1. Anonymous Coward
      Anonymous Coward

      Re: CIOs fault -- yes but for a different reason

      People put windows on tills because it is cheaper.

      People don't hire security experts to produce secure designs and architecture because it is cheaper

      People connect tills to the internet (instead of a hardened private networks) because it is cheaper.

      People ignore their IT staff's good advice because it is cheaper.

      Hammer-selling, C-fools will only understand when:

      Allowing insecure payment systems BECOMES TOO EXPENSIVE or PAINFUL to be allowed,

      Basically, we need an IT-Security Ralph Nader to wake people up and galvanize the industry into action.

      Until then, paying cash is probably a good idea.

      Any questions?

  13. This post has been deleted by its author

  14. Richard Conto

    Bad for PCI DSS too

    7 YEARS without satisfying PCI DSS third party audits?

    Not good for the credibility of PCI DSS as a whole.

  15. SoaG

    3 billion dollars...1

    ...worth of fraud.

    Another 6 billion lawsuit settlements and 12 in lawyers fees?

    No wonder Lowe's shares are up lately.

  16. tom dial Silver badge

    Did anyone else notice that the comments to the article may contain more actual information about the incident than either the Reg. or NYT articles?

    On the other hand, is enough publicly known yet to make reasonable conclusions about who did what wrong, other, apparently, than the kind of slackness common in large organizations?

    1. Swarthy
      Thumb Up

      Did anyone else notice that the comments to the article may contain more actual information about the incident than either the Reg. or NYT articles?

      That's the main reason I read the Reg, the articles are usually good, better than most, but the Commentariat is what makes this red-top one of the best sources of information on t'interwebs.

  17. Anonymous Coward
    Anonymous Coward

    Typical executive mindset

    Most big companies I've worked for are run by marketing boneheads who rose up in the ranks and became executives. Marketing boneheads, usually having been the jocks and frat boys in school, know next to nothing about computers.

    They care about one thing: Money. To them, IT is just an expense-center filled with a bunch of nerds who only want to spend the company's money on new toys they don't need. We were merely an annoyance to them and any protections we try to put in place that make the company loads safer, but their routine a tiny bit more involved are shut down.

    Basically hearing about how the executives treated the IT Security staff comes as absolutely NO surprise to me. And being told the customer database is off-limits is also not surprising. Marketing goons are too stupid to realize that in order to protect your data, you have to allow access to it to trusted people who need access.

  18. Tree

    If you allow it to update, it will do so during the busy times

    The article implied that the antivirus had not been updated since 2007. Windows probably also had no security updates for the same reason. That's all you need for it to reboot before waiting on customers. A simple DOS or Unix box programmed to do one thing only would have been cheaper and better. And do not connect to the interwebs!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like