Home Depot’s (HD) in-store payment system wasn’t set up to encrypt customers’ credit- and debit-card data, a gap in its defenses that gave potential hackers a wider window to exploit, according to interviews with former members of the retailer’s security team.
It’s unclear whether that vulnerability contributed to the hack that Home Depot announced on Sept. 8. Yet five former staffers describe a work environment in which employee turnover, outdated software, and a stated preference for “C-level security” (as opposed to A-level or B-level) hampered the team’s effectiveness. The former workers, including three managers, asked that their names not be used because they fear retribution from their former employer; some now work for companies that perform functions for Home Depot.
Although the company this year purchased a tool that would encrypt customer-payment data at the cash register, two of the former managers say that current Home Depot staffers have told them that the installation isn’t complete.
“We’re continually working to enhance our IT security to protect customer data, and we’ve taken aggressive steps to address the malware in this breach,” says Paula Drake, a Home Depot spokeswoman. “It wouldn’t be appropriate for us to comment on such rumors and speculation in the midst of our investigation.”
A “health check” on Home Depot’s information systems, which was performed by Symantec (SYMC) employees of two months ago, identified out-of-date malware-detection systems, according to one former manager. Hackers may by then have been rifling through the company’s computer data. Home Depot has said that the hack may have begun as early as April and has the potential to compromise customers who used credit cards or debit cards at 2,155 stores in the U.S. and Canada.
The former information-security managers say that when they attempted to make improvements to Home Depot’s security systems, they were at times turned down by its technology executives, including information-security chief Jeff Mitchell. Two of the former managers, who left the company in 2011 and 2012, said Mitchell told them to settle for “C-level security” because ambitious upgrades would be costly and might disrupt the operation of critical business systems. This management style frustrated a number of workers in Home Depot’s information-security department, leading to dozens of departures over the past three years from a team of fewer than 50, according to the former managers. Drake didn’t respond to a request for an interview with Mitchell, and he didn’t respond to a telephone message left at his office.
High turnover in information-security departments can be costly because of the training that’s required for such positions, said Anup Ghosh, chief executive officer of Invincea, a security company in Fairfax, Va.
“Every time you have turnover, you’re training the next person and losing the institutional knowledge of people there,” he said.
The former managers say they were troubled by the lack of encryption for credit-card data at Home Depot’s stores. Data were sent from the stores to central servers in clear text, according to two of the former managers. Those managers say that this year, Home Depot purchased a tool from Voltage Security that will encrypt the card data. The system hasn’t yet been implemented, they said. Paula Brici, a spokeswoman for Voltage, declined to comment.
Three former information-security managers also say that Home Depot was using out-of-date antivirus software for its point-of-sales systems. The program, Symantec’s Endpoint Protection 11, was released in 2007. Symantec unveiled version 12 in 2011, saying in a news release that the “threat landscape has changed significantly” and the newer product would be a protection against the “explosion in malware scope and complexity.” Kristen Batch, a spokeswoman for Symantec, declined to comment.
Home Depot stayed with Endpoint Protection 11, despite staffers’ pleas to executives, former managers say. Symantec this year began phasing out its remaining customer-support for the older version. All such support will end Jan. 5, 2015, according to a page on the software company’s website, which bluntly states: “This is the end of the product life cycle.”
