Did Home Depot Ignore Security Warnings?

Did Home Depot’s IT operation ignore—for years—internal warnings that it’s security was inadequate? A New York Times report, quoting various former employees of the home improvement chain, says that it did.

“Home Depot’s handling of its computer security was a record of missteps,” the Times story reported, adding that the former employees said  Home Depot “was slow to respond to early threats and only belatedly took action. In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.”

The chain specifically “They said managers relied on outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers. Also, the company performed vulnerability scans irregularly on the dozen or so computer systems inside its stores and often scanned only a small number of stores. And yet, two former employees said, while Home Depot data centers in Austin, Tex., and Atlanta were scanned, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.”

The story also noted that Home Depot apparently did not conduct thorough due diligence on some security hires. “In 2012, Home Depot hired Ricky Joe Mitchell, a security engineer, who was swiftly promoted under Jeff Mitchell, a senior director of information technology security, to a job in which he oversaw security systems at Home Depot’s stores. The men are not related,” the Times reported. “But Ricky Joe Mitchell did not last long at Home Depot. Before joining the company, he was fired by EnerVest Operating, an oil and gas company, and, before he left, he disabled EnerVest’s computers for a month. He was sentenced to four years in federal prison in April.”

The story said some of the oversights were part of the Home Depot culture. “Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: ‘We sell hammers.'”