You might have forgotten about the massive Home Depot data breach. After all, it happened in 2014. More then 56M customers’ payment card data was exposed as a result of malware being installed on the self-checkout lanes in numerous stores. (While I haven’t been in any store in a while, I do recall those self-checkout lanes to be annoying and spending time rescanning my items.) The malware operated for several months before it was detected and removed. At the time, it was the largest breach on record. The main cause of the breach was stolen third-party credentials. A report that SANS has put together is an excellent analysis of what happened.
The company was fined $17.5M as a result as part of a settlement which was announced this past week with various state and federal officials. Reviewing the press release was quite revealing (for once) because it lists a number of action items that Home Depot had agreed to implement to prevent further breaches. These include:
- Having a Chief Information Security Officer report to C-level executives and the Board of Directors
- Providing resources necessary to fully implement the company’s information security program, including a comprehensive security awareness and privacy training program
- Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, and data encryption controls
- Regular vulnerability scans of their networks that includes risk assessments, penetration testing, intrusion detection, and vendor account management
- Appropriate network segmentation of their POS equipment and other sensitive areas
One would hope that in the past six years they have actually done all of these. Yes, our legal system moves quite slowly. But it is a handy reference list for all of us to evaluate the IT security of our own businesses. And it isn’t as simple as turning on all the features of their endpoint protection tool (something that Home Depot didn’t do back in 2014 for some odd reason) but implementing more system-wide efforts that need continuous attention. For example, the POS was running Windows XP, which was outdated and quite vulnerable even in 2014.
IT security isn’t a destination, but an evolutionary process. Take your eyes off the ball and you’ll find yourself in a similar situation to Home Depot.