Home Depot Gets Hacked. What Should You Learn?
If you're a Home Depot customer, hackers may have stolen your consumer data. Did you do something wrong, like not protect your PIN at the register, or expose your credit card number?
Not at all. All you did was use your payment card at the register to buy your lumber and plants. The hackers did all the rest, while the Home Depot IT department was evidently asleep at the wheel. Because whoever was driving the security effort for the do-it-yourself superstore didn't see the crash that was coming.
For starters, Home Depot hadn't implemented the full features of its security software, as it had been advised to. The primary feature was designed to be an extra layer of protection at the terminals where you swipe your card and make your purchases.
It's not completely certain that the hackers attacked the terminals, but it certainly looks as if it were somewhere at the register. That same kind of hacker attack also happened at Target stores and Michael's.
Not only did the skilled hackers penetrate Home Depot's payments systems—they put the stolen credit card data up for sale on the Internet! If your data was stolen, it was also quickly up for sale. Not what customers expected when they bought cans of paint or a new faucet for the bathroom!
If that makes you upset, here's a little more to get you worked up: Before the big hack that occurred in the summer (2014), Home Depot had already been hacked a couple of times a few months earlier. (They didn't announce it publicly—the news leaked out later.) And when those smaller attacks happened, security contractors consulting for the company urged Home Depot to activate all of the features of its security software.
Well, they didn't, and not long afterward the hackers took advantage of that poor decision. That's not uncommon: Often, many companies don't put a high-enough priority on putting up a strong defense against electronic attacks. Like the average person, they think (or hope) that it won't happen to them.
That's unfortunate for people like you who shop at stores in good faith, thinking they've taken care of everything and that their payment information is safe and secure.
False sense of security.
In some ways, a store like Home Depot is no different from a lot of consumers, as far as thinking they won't be attacked. For instance, how many people do you know that have security systems in their home? Most of us think (or hope) that it won't happen to us, that the odds are in our favor.
Maybe that's what happened to the do-it-yourself warehouse. They just figured that the security they had in place (which had seemed to work okay up until then) was working well enough.
They were wrong. For a company that says it makes decisions based on "the best interests of our customers," this one didn't turn out too well.
Here's another lesson to be learned, not just for retailers, but for all of us: Home Depot did have security in place, but security experts were telling them they needed to use more technological firepower than they had on hand.
For example, according to an article in Bloomberg Businessweek (Sept. 22), the store was using outdated antivirus software, a 2007 version, in their stores. An upgrade had been released in 2011 (three years ago), but Home Depot chose, for some reason, not to purchase and implement it.
Lesson to learn: If there's an upgrade available for your antivirus program, get it and install it! Software companies provide upgrades for good reasons.
Why being cheap doesn't pay.
Here's something really disturbing about the Home Depot story: It's possible that the retailer was just too cheap and didn't want to take any "expensive" steps to increase their cyber-defenses. Unfortunately, that's not just a guess: According to reports, the company's decision to put cost-savings ahead of protecting customer data made a lot of Home Depot IT workers frustrated and mad. In fact, many of them have left the company because of that.
Lesson to learn: When you pay more, you usually get more. Usually, when you pay more for extra security features, it does translate into greater protection of your personal data. And the savings—not just in money, but also in peace of mind—just might be invaluable to you.