Home Depot on Thursday (Nov. 6) reported that, in addition to the data for 56 million payment cards that was stolen, thieves also grabbed 53 million customer E-mail addresses. How was this all done? New details on that confirmed that “criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network,” the home improvement chain said. The attackers “then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.”
The Wall Street Journal, citing a more complete breach report, offered more details as to how the thieves attacked and why they moved as they did.
“Once inside Home Depot’s systems after gaining credentials from the outside vendor, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network by exploiting a vulnerability in Microsoft’s Windows operating system,” the story reported. “Microsoft issued a patch after the breach began, and Home Depot installed it, but the fix came too late. Afforded such access, the hackers were able to move throughout Home Depot’s systems and over to the company’s point-of-sale systems as if they were Home Depot employees with high-level permissions.”
It’s been previously reported that the thieves focused on the company’s self-checkout terminals, but the Journal provided an interesting insight into why.
The thieves “then targeted 7,500 of the company’s self-checkout lanes because the registers’ reference names in the computer system clearly identified them as payment terminals. The people briefed on the investigation said they think the attackers missed the company’s more than 70,000 standard cash registers because the mainline payment terminals were identified only by number,” the story said.
Another interesting detail is that the attackers did not follow the cyberthief standard protocol of attacking in the middle of the night. The Home Depot thieves “evaded detection in part because they moved around Home Depot’s systems during regular daytime business hours and designed the malware to collect data, take steps to transmit it to an outside system and erase its traces. The malicious software installed on the self-checkout terminals lurked undetected for five months. In fact, the hack might have gone unnoticed for much longer if the hackers hadn’t put batches of stolen credit-card numbers up for sale while a number of Home Depot executives were away on vacation for the Labor Day holiday.”