By Shelly Banjo 

Home Depot Inc. said hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record.

On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well.

Those addresses are by their nature semipublic, but they can be used by hackers hoping to trick people into giving away more sensitive information, and Home Depot warned its customers to be on guard.

The findings--which come after more than two months of investigations by the company, law-enforcement agents and hundreds of security personnel--show the home-improvement retailer fell victim to the same type of infiltration tactics as Target Corp., where hackers gained access last year via a Pennsylvania-based refrigeration contractor's electronic billing account.

Retailers have been criticized by computer-security experts for failing to isolate sensitive parts of their networks from those that are more accessible to outsiders. Target made changes after the attack last holiday season to address those "segmentation" issues. Home Depot, however, doesn't believe that its network design was at fault, according to people briefed on the investigation.

The bigger problem, the company's executives have said, is that Home Depot moved too slowly to bolster its security defenses and too often focused on meeting standards designed to detect known threats rather than anticipating the fluid, fast-moving tactics of hackers who are increasingly going after retailers.

Frank Blake, who retired as chief executive last month as scheduled, has conceded the company needs to place greater emphasis on data security.

"If we rewind the tape, our security systems could have been better," Mr. Blake said in an interview last month. "Data security just wasn't high enough in our mission statement."

Once inside Home Depot's systems after gaining credentials from the outside vendor, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company's more secure main computer network by exploiting a vulnerability in Microsoft Corp.'s Windows operating system, the people briefed on the investigation said.

Microsoft issued a patch after the breach began, and Home Depot installed it, but the fix came too late, the people added. Afforded such access, the hackers were able to move throughout Home Depot's systems and over to the company's point-of-sale systems as if they were Home Depot employees with high-level permissions, the people said.

Microsoft declined to comment.

The hackers then targeted 7,500 of the company's self-checkout lanes because the registers' reference names in the computer system clearly identified them as payment terminals, the people said.

The people briefed on the investigation said they think the attackers missed the company's more than 70,000 standard cash registers because the mainline payment terminals were identified only by number.

The hackers evaded detection in part because they moved around Home Depot's systems during regular daytime business hours and designed the malware to collect data, take steps to transmit it to an outside system and erase its traces. The malicious software installed on the self-checkout terminals lurked undetected for five months.

In fact, the hack might have gone unnoticed for much longer if the hackers hadn't put batches of stolen credit-card numbers up for sale while a number of Home Depot executives were away on vacation for the Labor Day holiday.

On Sept. 2, Home Depot Chief Information Officer Matt Carey was lacing up his sneakers for a morning run in Los Cabos, Mexico, when he heard from his lieutenant that the Secret Service had found a batch of suspicious credit-card numbers for sale in an online hacking forum known as Rescator.

Back in the company's Atlanta headquarters, Treasurer Dwaine Kimmet got a similar call from an analyst at Capital One Financial Corp. who had identified the home-improvement retailer as the common thread linking the stolen cards.

Home Depot tried unsuccessfully to purchase some of the fraudulent credit cards from the website, but the site crashed as law-enforcement agencies, banks and criminals all tried to get their hands on them.

By Day 2, the company's security consultants had acquired batches of credit cards, and they began visiting stores in Atlanta and Austin to try to determine usage patterns. Four days after the company had been alerted, Home Depot's investigators discovered evidence that malware had been deleted from a store computer. The company was able to confirm a breach, but it couldn't be sure its critical business information was out of danger. An IT employee bought two dozen new, secure iPhones and MacBooks for senior executives, who referred to their new devices as "Bat phones."

At one point, a security consultant identified a computer at a store in Watertown, Mass., that he thought could be "patient zero," the malware's entry point. The team took the company plane to retrieve the computer, strapping it to an airplane seat as if it were a passenger and extracting data on the flight back to Atlanta. But the computer turned out to be a red herring. Instead, patient zero turned out to be a server at a store south of Miami.

The attack caught a company that had just gone through several years of upgrades to computer systems that Mr. Blake acknowledges were desperately out of date. Following the holiday season attack on Target, the company gave the green light to a project that would fully encrypt card data at the payment terminal, making it harder for hackers to use. But it took months to get the project rolling, people familiar with the matter said, and the deployment wasn't finished until September.

Around the time the hackers were moving undetected into the company's systems in April, Home Depot was putting the finishing touches on a 45-page playbook on how to respond to a hack.

The playbook was pulled together after a January exercise in which executives picked apart what they knew about the cyber heist at Target. It was replete with specific media talking points to address a variety of scenarios, sample letters to customers and law enforcement, and task lists outlining executive responsibilities, according to a document reviewed by The Wall Street Journal.

"The irony was not lost on us," said Mr. Blake, who remains chairman of Home Depot's board of directors. "We believed we were doing things ahead of the industry. We thought we were well-positioned."

Write to Shelly Banjo at shelly.banjo@wsj.com

Subscribe to WSJ: http://online.wsj.com?mod=djnwires

Target (NYSE:TGT)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Target Charts.
Target (NYSE:TGT)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Target Charts.