How Home Depot Got Hacked

Home Depot on Thursday (Nov. 6) reported that, in addition to the data for 56 million payment cards that was stolen, thieves also grabbed 53 million customer E-mail addresses. How was this all done? New details on that confirmed that "criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network," the home improvement chain said. The attackers "then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada."

The Wall Street Journal, citing a more complete breach report, offered more details as to how the thieves attacked and why they moved as they did.

"Once inside Home Depot’s systems after gaining credentials from the outside vendor, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network by exploiting a vulnerability in Microsoft’s Windows operating system," the story reported. "Microsoft issued a patch after the breach began, and Home Depot installed it, but the fix came too late. Afforded such access, the hackers were able to move throughout Home Depot’s systems and over to the company’s point-of-sale systems as if they were Home Depot employees with high-level permissions."

It's been previously reported that the thieves focused on the company's self-checkout terminals, but the Journal provided an interesting insight into why.

The thieves "then targeted 7,500 of the company’s self-checkout lanes because the registers’ reference names in the computer system clearly identified them as payment terminals. The people briefed on the investigation said they think the attackers missed the company’s more than 70,000 standard cash registers because the mainline payment terminals were identified only by number," the story said.

Another interesting detail is that the attackers did not follow the cyberthief standard protocol of attacking in the middle of the night. The Home Depot thieves "evaded detection in part because they moved around Home Depot’s systems during regular daytime business hours and designed the malware to collect data, take steps to transmit it to an outside system and erase its traces. The malicious software installed on the self-checkout terminals lurked undetected for five months. In fact, the hack might have gone unnoticed for much longer if the hackers hadn’t put batches of stolen credit-card numbers up for sale while a number of Home Depot executives were away on vacation for the Labor Day holiday."

For what it's worth, the point of entry for the massive attack was at a server at a store south of Miami, the story said.



New forms of alternative credit and point-of-sale (POS) lending options like ‘buy now, pay later’ (BNPL) leverage the growing influence of payments choice on customer loyalty. Nearly 60 percent of consumers say such digital options now influence where and how they shop—especially touchless payments and robust, well-crafted ecommerce checkouts—so, merchants have a clear mandate: understand what has changed and adjust accordingly. Join PYMNTS CEO Karen Webster together with PayPal’s Greg Lisiewski, BigCommerce’s Mark Rosales, and Adore Me’s Camille Kress as they spotlight key findings from the new PYMNTS-PayPal study, “How We Shop” and map out faster, better pathways to a stronger recovery.

Click to comment