Home Depot breach facilitated by hole in its online defences

7 Nov 2014

Retailer Home Depot’s investigation into the online breach of 53m of its customers’ data has found the breach resulted from a flaw in its system that grew after hackers obtained a vendor’s username and password.

Home Depot reiterated that the only details the hackers obtained were customers’ email addresses, and not more sensitive information, such as credit card numbers or other bank details.

Over the last number of weeks, the company learned that once hackers used the third-party vendors username and password to enter the perimeter of Home Depots network, they were able to spread data-mining malware throughout portions of the network, resulting in one of the world’s largest ever data breaches.

Soon afterwards, the company claimed its anti-malware software was unable to detect it entering the network because of the malware’s complex design and obvious creation as one capable of avoiding detection.

Perhaps the biggest worry for consumers in the US and Canada, who were affected by the breach, the encryption software designed to protect them in the event of a data breach had been implemented as far back as January this year, but was only fast tracked into effect following the data breach in September.

How considerably this breach stains the company’s stature from a financial perspective remains to be seen, but Home Depot’s third-quarter financial results are due for release on 18 November, which may detail the costs of this investigation.

Home Depot image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com