Home Depot Blames Windows for Their Massive Security Hack

[dgstorm]

In case you missed it, Home Depot is the latest company to be embroiled in a massive hacking scandal like the Target fiasco from last year. Just a few weeks ago, Home Depot revealed that their database was breached by hackers resulting in the theft of over 56 million credit cards and over 53 million emails.

They recently came out blaming an executive's Windows machine for the data breach, and the company quickly purchased a bunch of MacBooks and iPhones for their executives to "fix" the issue. Here's a quote with more of the details,

On September 2nd, the Secret Service told Home Depot that hackers were already selling credit card numbers on the black market, which were traced back to Home Depot.

The company managed to buy some of those credit cards and started its investigation, discovering a few days later that malware had been deleted from a store computer. At that point, unsure about what information had been compromised, Home Depot “bought two dozen new, secure iPhones and MacBooks for senior executives, who referred to their new devices as ‘Bat phones.’”

It’s not clear what vulnerability in Windows the hackers exploited, but Microsoft patched it after the breach began. However, that was too late to stop the Home Depot hackers, who “were able to move throughout Home Depot’s systems and over to the company’s point-of-sale systems as if they were Home Depot employees with high-level permissions,” after using the vulnerability to move from “a peripheral third-party vendor system and the company’s more secure main computer network.” ~ BGR

Perhaps their security protocols may be more to blame than the particular OS on the hacked device. What do you think?

 

[Donald King]

I have managed IT security for a few organizations - and absolutely yes I can tell you their protocols are to blame. Windows does certainly have some security flaws - but good IT security practice can overcome those flaws. And guess what? Every platform has potential security flaws. Anyone who says their chosen platform does not is just a fan boy.....

 

[GreyFox7]

Indeed, they are victims of their own procedures and lax policies. No doubt Executives were exempt from the same policies governing the rest of the employees, leaving them vulnerable and ripe for picking. none of the recent massive leaks and hacks were not totally preventable had they followed known established security practices. These incidents should stand as a wakeup call although Id bet most are saying it wont happen to me.

 

[leeshor]

Totally the fault of the Executive, not Windows.

I could probably, with some questions and sleuthing tell you where he went wrong.

 

[Donald King]

Indeed, they are victims of their own procedures and lax policies. No doubt Executives were exempt from the same policies governing the rest of the employees, leaving them vulnerable and ripe for picking. none of the recent massive leaks and hacks were not totally preventable had they followed known established security practices. These incidents should stand as a wakeup call although Id bet most are saying it wont happen to me.

True. One major problem is that a good portion of IT Execs think that if they put in a firewall, push out Windows updates regularly, and enforce an AV product on the systems, then they are protected. Most people in IT know better. Good IT security goes far beyond technology.

 

[MrElectrifyer]

How did the malware get installed in the first place? That is the question. If it came through the network, then that's definitely a problem in Windows that needs addressing.

If it came by e-mail or any other social engineering trick, then the real threat is between the chair and the keyboard, and switching to any other platform ain't gonna fix that...

 

[Donald King]

User training is a lot of it, but yes you are correct in that all systems are vulnerable. I have a couple of hackers on my security team and believe me they can get into anything they want. Fortunately they use their powers for good . I have learned over the years that it is not a question of will we be breached, it is a question of when will we be breached, and what are we going to do about it. The truly fatal flaw in Home Depot's practices is that they got breached and didn't know about it for weeks or months. Think of it this way - if Home Depot had issued a statement back when the breach happened - like within a day or two - it would have been much less of a story and they would have caught favor with the public for being open and honest. All they had to do was catch it, plug it, then come out and let people know right away. Honesty goes a long way. Instead, they now look like they are either incompetent or like they tried to hide it - both are equally bad of course.

 

[sharpuser]

I don't blame my car for bringing me to a bad day at the office.

Or my shoes.

 

[TeknoBlast]

LOL, That's the funniest thing I read. Blaming an OS for their incompetence. Now they want someone else to be the bad guy and they spent tons of money on unless hardware for business. Such a weak way to shift the blame on someone else.

I've worked for a large oil services company, a bank, a bankruptcy firm, and now a software company...and never in all those years we had a breach because of Windows....and that was working with Windows NT back in the day.

So weak.

 

[GreyFox7]

I don't blame my car for bringing me to a bad day at the office.

Or my shoes.

A bad workman always blames his tools!

 

[annabanana]

If they think Macs and iOS are secure and without security flaws, they haven't been reading the tech news the last couple of weeks.

 

[goodintentions]

Haha, blaming the tools for their failure.