By Shelly Banjo
Home Depot Inc. said hackers got into its systems last April by
stealing a password from a vendor, opening a tiny hole that grew
into the biggest retail-credit-card breach on record.
On Thursday, the company announced the breach was worse than
earlier thought. In addition to the 56 million credit-card accounts
that were compromised, Home Depot now says around 53 million
customer email addresses were stolen as well.
Those addresses are by their nature semipublic, but they can be
used by hackers hoping to trick people into giving away more
sensitive information, and Home Depot warned its customers to be on
guard.
The findings--which come after more than two months of
investigations by the company, law-enforcement agents and hundreds
of security personnel--show the home-improvement retailer fell
victim to the same type of infiltration tactics as Target Corp.,
where hackers gained access last year via a Pennsylvania-based
refrigeration contractor's electronic billing account.
Retailers have been criticized by computer-security experts for
failing to isolate sensitive parts of their networks from those
that are more accessible to outsiders. Target made changes after
the attack last holiday season to address those "segmentation"
issues. Home Depot, however, doesn't believe that its network
design was at fault, according to people briefed on the
investigation.
The bigger problem, the company's executives have said, is that
Home Depot moved too slowly to bolster its security defenses and
too often focused on meeting standards designed to detect known
threats rather than anticipating the fluid, fast-moving tactics of
hackers who are increasingly going after retailers.
Frank Blake, who retired as chief executive last month as
scheduled, has conceded the company needs to place greater emphasis
on data security.
"If we rewind the tape, our security systems could have been
better," Mr. Blake said in an interview last month. "Data security
just wasn't high enough in our mission statement."
Once inside Home Depot's systems after gaining credentials from
the outside vendor, the hackers were able to jump the barriers
between a peripheral third-party vendor system and the company's
more secure main computer network by exploiting a vulnerability in
Microsoft Corp.'s Windows operating system, the people briefed on
the investigation said.
Microsoft issued a patch after the breach began, and Home Depot
installed it, but the fix came too late, the people added. Afforded
such access, the hackers were able to move throughout Home Depot's
systems and over to the company's point-of-sale systems as if they
were Home Depot employees with high-level permissions, the people
said.
Microsoft declined to comment.
The hackers then targeted 7,500 of the company's self-checkout
lanes because the registers' reference names in the computer system
clearly identified them as payment terminals, the people said.
The people briefed on the investigation said they think the
attackers missed the company's more than 70,000 standard cash
registers because the mainline payment terminals were identified
only by number.
The hackers evaded detection in part because they moved around
Home Depot's systems during regular daytime business hours and
designed the malware to collect data, take steps to transmit it to
an outside system and erase its traces. The malicious software
installed on the self-checkout terminals lurked undetected for five
months.
In fact, the hack might have gone unnoticed for much longer if
the hackers hadn't put batches of stolen credit-card numbers up for
sale while a number of Home Depot executives were away on vacation
for the Labor Day holiday.
On Sept. 2, Home Depot Chief Information Officer Matt Carey was
lacing up his sneakers for a morning run in Los Cabos, Mexico, when
he heard from his lieutenant that the Secret Service had found a
batch of suspicious credit-card numbers for sale in an online
hacking forum known as Rescator.
Back in the company's Atlanta headquarters, Treasurer Dwaine
Kimmet got a similar call from an analyst at Capital One Financial
Corp. who had identified the home-improvement retailer as the
common thread linking the stolen cards.
Home Depot tried unsuccessfully to purchase some of the
fraudulent credit cards from the website, but the site crashed as
law-enforcement agencies, banks and criminals all tried to get
their hands on them.
By Day 2, the company's security consultants had acquired
batches of credit cards, and they began visiting stores in Atlanta
and Austin to try to determine usage patterns. Four days after the
company had been alerted, Home Depot's investigators discovered
evidence that malware had been deleted from a store computer. The
company was able to confirm a breach, but it couldn't be sure its
critical business information was out of danger. An IT employee
bought two dozen new, secure iPhones and MacBooks for senior
executives, who referred to their new devices as "Bat phones."
At one point, a security consultant identified a computer at a
store in Watertown, Mass., that he thought could be "patient zero,"
the malware's entry point. The team took the company plane to
retrieve the computer, strapping it to an airplane seat as if it
were a passenger and extracting data on the flight back to Atlanta.
But the computer turned out to be a red herring. Instead, patient
zero turned out to be a server at a store south of Miami.
The attack caught a company that had just gone through several
years of upgrades to computer systems that Mr. Blake acknowledges
were desperately out of date. Following the holiday season attack
on Target, the company gave the green light to a project that would
fully encrypt card data at the payment terminal, making it harder
for hackers to use. But it took months to get the project rolling,
people familiar with the matter said, and the deployment wasn't
finished until September.
Around the time the hackers were moving undetected into the
company's systems in April, Home Depot was putting the finishing
touches on a 45-page playbook on how to respond to a hack.
The playbook was pulled together after a January exercise in
which executives picked apart what they knew about the cyber heist
at Target. It was replete with specific media talking points to
address a variety of scenarios, sample letters to customers and law
enforcement, and task lists outlining executive responsibilities,
according to a document reviewed by The Wall Street Journal.
"The irony was not lost on us," said Mr. Blake, who remains
chairman of Home Depot's board of directors. "We believed we were
doing things ahead of the industry. We thought we were
well-positioned."
Write to Shelly Banjo at shelly.banjo@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires