Hackers Learned "Do-It-Yourself"
If there's an open window, a crook will climb in. If there's a crack in a network's operations, a hacker will slip through it and find a way to do damage.
Individuals and business need to learn that hackers are always on the prowl, but large organizations are at greater risk because they have more to lose—and hackers know it. A major data breach in 2014 proved that companies are making serious mistakes when they don't make network safety a top, corporate-wide priority.
That's the lesson The Home Depot learned...the hard way. Because in April 2014, hackers found their way into Home Depot's security systems, and in the process, pulled off the biggest retail credit card breach in U.S. history.
The hackers compromised (meaning they got access to) 56 million Home Depot credit card customers. They also stole 53 million customer email addresses.
What The Home Depot learned, as did everyone else, was that network security needs to be in place not just at obvious entry points for hackers, but also throughout the entire system. Examining the safeguards that had been in place prior to the attack, here's what Home Depot concluded:
- Home Depot had taken too long over the previous few years to increase its security.
- They had spent more time and money on detecting security breaches instead of anticipating where hackers might attack.
- Even a chief executive who left Target in October of 2014 said, "Data security just wasn't high enough in our mission statement."
You might think that the email address theft isn't so serious, but what it does is provide hackers email access to shoppers with active accounts. A hacker can use the information to send deceptive email messages to Home Depot customers with the hope of tricking some of them into giving away vital information, such as their Social Security numbers.
And the only thing that Home Depot really did about the email theft was to tell customers to "be on guard" for phishing attempts. You have to wonder if Home Depot customers would like to reply to the retail giant, "Be on guard for hackers!"
Hackers learn "do-it-yourself."
According to Home Depot's own investigation, the hackers got into their systems in a unique way...and in a way they hadn't expected: The hackers infiltrated the system indirectly—they stole a password from a Home Depot vendor, a company that Home Depot works with.
That's the same thing that happened to Target stores. Hackers busted into Target's systems by first sneaking through a back door, when they hacked into the account of a refrigeration company and then gained access to Target's system when the vendor submitted an invoice for payment electronically to Target.
You would think that companies with large networks (and millions of customers) would be on top of security gaps—unfortunately, that's not the case.
Through the window, and then inside.
Once the hackers got their foot in the system with the stolen password, they were like thieves at night, sneaking through vulnerable "doors," seeing what kinds of internal operations they could tinker with. At one point, they came up against the heart of the computer operations running on Microsoft software. The hackers found a vulnerable spot in the software and were able to gain access to the entire Home Depot operation system. (Microsoft has since fixed the vulnerability for its customers with a software patch...but it was too late for Home Depot.)
Blending in with everyday business.
Once the hackers breached the system, they did their secret work, operating during normal business hours, stealing data, collecting data, transmitting it outside to their own computers...and erasing their steps without detection. Amazingly, they blended right in with all the other operations.
And Home Depot, who thought they could spot a breach, was unaware of it all.
Eventually, the hacker's daily escapades led them to the data that comes from 7,500 self-checkout terminals at Home Depot (but not the cash registers run by employees). The terminals were identified on the Home Depot computer system as "payment terminals"—which told the hackers they'd found something worthwhile.
Along the way, the hackers were installing malware—malicious software—that went undetected and then waited for an opportunity. It worked, and they were able table to steal credit card numbers right from the self-checkout terminals.
We've been hacked!
The whole hacking episode was discovered only when Home Depot found out (along with others) that some suspicious credit account numbers were up for sale on an online forum for hackers Labor Day weekend, 2014.
Here's the ironic part:
- Before the attack, Home Depot had gone through several years of what they thought were significant security updates. In reflection, all of their moves were technologically behind the hackers' capabilities.
- About the time (in April) that hackers first busted through, Home Depot was launching a project to boost security at their payment terminals to offset hackers—but the project moved at a slow pace and wasn't finished in time.
- Also in April, as the hackers were frolicking inside and outside of Home Depot operations, Home Depot, totally unaware of what was happening, was putting together a book related to IT matters. It was a comprehensive 50-page internal document on how to respond to a hack.
If there's a lesson for all of us, it's this: We need to be careful with all of our personal and financial information, because the companies and security experts we think are taking care of us are better at detecting what went wrong than they are at preventing it.