Skip to main content
July 27, 2015

The Home Depot Breach Offers Key Lessons for Those Hoping to Avoid a Similar Fate

The Home Depot Breach Offers Key Lessons for Those Hoping to Avoid a Similar FateRetail stores (and especially big-box, multiple-store, nationwide retail businesses) face unique security challenges when adapting to advancements in the digital age. Whether you're talking about the Internet or the smart devices that made it mobile, as a result of their existence, big-name resellers collect tons of sensitive consumer information every minute of every hour of every day — and when you're collecting and transmitting that much valuable data, you can bet someone's putting big effort into trying to access it for nefarious ends.

For proof, look no further than the Home Depot breach, which occurred last year and compromised the payment card details of 56 million customers, according to the Wall Street Journal. The breach has resulted in lawsuits, financial losses and loss of face for the company, highlighting the importance of both proper security measures and the nasty stuff that can happen when they aren't taken.

That all said, the breach does come with its share of silver linings: First, the encryption system that Home Depot initiated prior to finding out about the breach has been implemented, reducing the chances of its customers dealing with the same sort of hassle again; second, the series of events that allowed attackers to access the data provides a few key lessons for those looking to safeguard themselves in the future.

The Supply Chain . . .

To be clear, Home Depot is far from the first major retailer to see consumer-data theft on a massive scale — and as with attacks that targeted other companies, the breach can be traced back to simple supply chain mismanagement.

Of course, "simple" is a relative term. But from a very high-level perspective, the problems started with "a tiny hole that grew into the biggest retail-credit-card breach on record," according to the WSJ article.

Understanding the specifics of the Home Depot breach after the fact took months of serious investigation on the company's part. In the end, the company said, hackers initiated the attack by obtaining credentials for a system that third-party vendors used to access Home Depot's network. In practice, this could've been any number of apps: a billing system, for instance, or a portal used to upload documents. From there, hackers were then able to leapfrog onto Home Depot's network, utilizing an unpatched Windows flaw to capture millions of e-mail addresses and consumer card details.

. . . And How to Manage It

While several factors had to come together for the attack to be successful, the "tiny hole" point illustrates a key point in the security world: Fixing and preventing supposedly small problems can have major benefits.

Even better, as a Veracode white paper entitled "The 7 Habits of Highly Successful Supply Chain Transformations" says, taking measures to prevent malicious intruders isn't as hard or complex as you might think.

First and foremost, the white paper states, pay attention to how you bring third-party vendors into your supply chain. Choosing third parties with proven histories of security — including use of secure internal practices such as password and information-access management — is a fast, simple way to keep your entire perimeter more secure.

Looking specifically to Home Depot's situation, the second rule in the white paper —"Put your efforts where they do the most good" — could've been a big help for the home improvement giant. Going after so-called low-hanging fruit such as proper credential management could've stopped the data thieves in action early; even if not, going for the easy, obvious fixes is rarely a bad idea, especially if you're keeping on top of bigger security-related concerns as well.

Finally, a focus on communication and consequences can pay dividends in the future when it comes to security. Whether you and your suppliers are bound to outside regulations or not, letting third parties know exactly what's expected of them with regards to security — and what will happen if those expectations aren't met — up front can help avoid all sorts of problems, including those that result in serious breaches. Knowing which rules to define means having a solid security plan of your own; be sure you do when it comes time to hire or renew vendors for your next project.

Secure Supply

If you're looking for simple ways to beef up your own supply chain security, make sure to check out Veracode's full white paper on supply chain transformation. You'll find several easy, conceptual tips designed to help business decision makers build a safer chain from the ground up. And whatever your own network security situation, make sure you take a good, hard look at your perimeter — especially the third-party pieces that comprise it. After all, security flaws are always cheaper to fix before they're exploited. Stay secure out there.

Photo Source: Wikimedia Commons

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.