Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday September 21 2014, @01:09PM   Printer-friendly
from the the-hole-is-greater-than-the-sum-of-the-parts dept.

ArsTechnica reports:

Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by the New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating LLC in Charelston, South Carolina[sic] Charleston, West Virginia—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.

See our earlier stories: Credit Card Breach at Home Depot and Home Depot Estimates Data on 56 Million Cards Stolen by Cybercriminals.

[Update: EverVest was reported by Ars Technica to have been in Charelston, South Carolina but according to the linked indictment was actually located in Charleston, West Virginia.]

Related Stories

Credit Card Breach at Home Depot 29 comments

Krebs on Security broke a story about Home Depot being breached, with an update stating that the banks believe the breach goes as far back as late April/early May.

Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

[...]

In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labeled “European Sanctions.”

Home Depot's stock price also took a dive when the news was released.

Home Depot Estimates Data on 56 Million Cards Stolen by Cybercriminals 19 comments

In a follow-up to the initial story, Home Depot has released more information about the breach. From the Ars Technica article:

The cybercriminals that compromised Home Depot's network and installed malware on the home-supply company's point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.

In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.

It's worth pointing out that an article by Brian Krebs states the investigation is focused on the self-checkout terminals, which might explain why more cards weren't affected.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by kaszz on Sunday September 21 2014, @01:18PM

    by kaszz (4211) on Sunday September 21 2014, @01:18PM (#96306) Journal

    Would there been any chance for the casual but knowledge shopper to find out that their security was a scam?

    • (Score: 5, Insightful) by Horse With Stripes on Sunday September 21 2014, @02:13PM

      by Horse With Stripes (577) on Sunday September 21 2014, @02:13PM (#96323)

      Would there been any chance for the casual but knowledge shopper to find out that their security was a scam?

      No.
      - If you start asking security related questions then you appear to be someone who is trying to acquire knowledge for a future attack.
      - If you start futzing with a POS device then you will be blamed for anything wrong with it including any malicious software found on it (this visit you were just checking on your previously installed software).
      - If you pay cash (which is what I am going to do this morning when I visit HD) then you are secure (even if a bit inconvenienced for having to go to the bank to have cash in hand).

      After the Target debacle I started using cash more often than not to make in-person purchases. After this Home Depot breach I'm going to be using cash for everything I can. The convenience of using a debit card is now outweighed by the concern of having to replace my card again.

      • (Score: 0) by Anonymous Coward on Sunday September 21 2014, @02:27PM

        by Anonymous Coward on Sunday September 21 2014, @02:27PM (#96329)

        > The convenience of using a debit card is now outweighed by the concern of having to replace my card again.

        Debit cards have always been for suckers. Recently they have been slightly reformed by federal law, but are still sucker-bait.
        When your credit card is used fraudulently, the money is stolen from the bank,
              and there are federal laws that prevent them from making you liable.
        When your debit card is used fraudulently, the money is stolen from you,
              and there are corporate policies that let them decide to give you your money back.

        But even when they do give you your money back, if you've had other events in the meantime, like bounced checks because your balance was zero, you have no remedy for those complications.

        The only person who should ever consider using debit cards is someone who needs a way to do an electronic payment but has such bad credit that they can't qualify for a credit card. Everyone else should stay as far the fuck away from debit cards as possible.

        • (Score: 1, Informative) by Ethanol-fueled on Sunday September 21 2014, @05:36PM

          by Ethanol-fueled (2792) on Sunday September 21 2014, @05:36PM (#96373) Homepage

          Jesus fucking Christ, debit cards are how most people with bank accounts in America pay for things nowadays. You know, because debit card charges don't carry interest?

          Idiots. I'm surrounded by idiots!

          • (Score: 0, Flamebait) by Whoever on Sunday September 21 2014, @05:51PM

            by Whoever (4524) on Sunday September 21 2014, @05:51PM (#96378) Journal

            You know, because debit card charges don't carry interest?

            Neither do credit cards, if you pay all the bill at the end of the month. In fact, credit cards give you a free loan as long as you pay the bill in full, on time.

            Idiots. I'm surrounded by idiots!

            Are you looking in the mirror?

            • (Score: -1, Troll) by Ethanol-fueled on Sunday September 21 2014, @06:37PM

              by Ethanol-fueled (2792) on Sunday September 21 2014, @06:37PM (#96394) Homepage

              " Are you looking in the mirror? "

              I am now, loverboy! Behold! Ethanol-fueled's COCK! [postimg.org]

            • (Score: 0) by Anonymous Coward on Sunday September 21 2014, @09:05PM

              by Anonymous Coward on Sunday September 21 2014, @09:05PM (#96454)

              Wow, judging by the moderation this is a case where someone thinks e-fueled actually contributed to the conversation.
              I hope the next time some claims he occasionally adds value here, they cite this thread so we can all judge just what a positive and thoughtful comment from e-fueled looks like.

            • (Score: 2) by Leebert on Sunday September 21 2014, @09:27PM

              by Leebert (3511) on Sunday September 21 2014, @09:27PM (#96467)

              Even more than that; I get one of cash back, free train travel, or free airfare, depending on which card I use.

              While debit rewards cards do exist, as far as I can tell they are much more of a rarity.

          • (Score: 1) by Hairyfeet on Sunday September 21 2014, @09:37PM

            by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Sunday September 21 2014, @09:37PM (#96471) Journal

            Uhhh maybe the idiot is you for having a shitty bank? My local bank limits any possible theft on a debit card to $50 and frankly I've never seen them even stick the user with that! In return for this added protection everyone pays a whole dollar a month but considering the process of getting any false charges removed is as simple as "hi (name of teller) can you believe somebody placed a charge on my card I didn't authorize?" I'd say its well worth the dollar,wouldn't you?

            --
            ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
            • (Score: 0) by Anonymous Coward on Sunday September 21 2014, @10:31PM

              by Anonymous Coward on Sunday September 21 2014, @10:31PM (#96485)

              My local bank limits any possible theft on a debit card to $50 ....In return for this added protection everyone pays a whole dollar a month

              As opposed to paying nothing for a zero dollar limit on theft, combined with a free loan, your deal doesn't look so good. Perhaps you can't get a credit card and you are in denial about how this affects you.

              The GGGP post was correct. Debit cards are for suckers.

            • (Score: 0) by Anonymous Coward on Monday September 22 2014, @02:37AM

              by Anonymous Coward on Monday September 22 2014, @02:37AM (#96551)

              > My local bank limits any possible theft on a debit card to $50

              And that is a policy completely at their discretion versus federal law for credit cards.
              They are free to deny you that protection if the bank manager's opinion is that maybe it wasn't fraud...
              I'll take the law over the opinion of a bank manager any day.

              And that doesn't even begin to address the problem of fees from checks that bounced between the time your account was drained and when you discovered it. The bank will probably refund any NSF charges they levied, but they won't do a thing about the penalties from the places you sent checks too, like your mortgage payment, car loan payment, utilities, etc.

              Debit cards are simply a last resort, despite the millions of dollars spent marketing them to convince people otherwise.

    • (Score: 5, Insightful) by Justin Case on Sunday September 21 2014, @02:21PM

      by Justin Case (4239) on Sunday September 21 2014, @02:21PM (#96327) Journal

      Never mind the casual shopper. Even the world's best security tester can't legally evaluate an organization's security before deciding whether to become a customer. That would be attempting to hack their systems, which a lot of people think is a crime.

      It's like if your bank has paper walls, but you're not allowed to look, because if you look, you must be planning a crime right?

      We need a trusted independent third party to rate the security of all organizations -- with their consent of course -- but part of the evaluation is you must give permission to disclose the findings to the world. Then shoppers could consider who's doing a good job and who's not.

      Right now even if your lifetime medical history gets released (never to be recaptured once it's out) all you get is a bulk email saying we're sorry and here's where you can get a free credit report. No actual recourse to the victim. The people making the risk decisions are not the people facing the downside of the risk.

      So just assume every business is vulnerable and do your best to keep your secrets to yourself.

      • (Score: 3, Informative) by kaszz on Sunday September 21 2014, @02:48PM

        by kaszz (4211) on Sunday September 21 2014, @02:48PM (#96338) Journal

        I think this is the important factor: "The people making the risk decisions are not the people facing the downside of the risk."

        Perhaps more vigilante is needed to close the control loop?

        Anyway, a cash terminal (POS) that runs code from Microsoft should be a tip off that security is lax. Lack of chip & pin can also be a tip off or turnover at IT-department etc.

        • (Score: 1, Informative) by Anonymous Coward on Sunday September 21 2014, @02:54PM

          by Anonymous Coward on Sunday September 21 2014, @02:54PM (#96341)

          > I think this is the important factor: "The people making the risk decisions are not the people facing the downside of the risk."

          Responsibility without accountability.
          It is the practically the definition of power in every human culture.

        • (Score: 4, Interesting) by Whoever on Sunday September 21 2014, @06:11PM

          by Whoever (4524) on Sunday September 21 2014, @06:11PM (#96387) Journal

          "The people making the risk decisions are not the people facing the downside of the risk."

          It was Home Depot that proposed paying $400M to an outgoing CEO whom the board had asked to leave because of his poor performance. It seems that at the C* level, there is only payment, whether successful or not.

  • (Score: 4, Insightful) by Justin Case on Sunday September 21 2014, @01:50PM

    by Justin Case (4239) on Sunday September 21 2014, @01:50PM (#96313) Journal

    Everyone does. Nobody wants to hear about problems.

    Twice a week on average I sit in some meeting where a project director is given a long list of security weaknesses in their systems. They don't care. Their whole attitude is how do I make this report go away? Where do I sign to "accept the risk" and move forward?

    Compliance is not security. People think if they "do their due diligence" and "document the concern" they're done. Why would anyone actually fix it? We've got authority to move ahead. Don't want to delay the rollout you know.

    There is utter hostility toward security on all fronts. If we have to do that, it won't be cool any more. You just want to slow us down. Keep away from my network, I don't want you finding stuff.

    I'm all-cash as much as possible. Have been for years. Networking millions of infested bot-zombies is an incurable mess. Even PCI compliance is a joke. Fifty pages of requirements and you can still be pwned, easy, because you're checking checkboxes, not securing systems!

    • (Score: 3, Interesting) by Lagg on Sunday September 21 2014, @04:58PM

      by Lagg (105) on Sunday September 21 2014, @04:58PM (#96365) Homepage Journal

      Pretty much, most of my job is probably trying to fix things like that. Though interestingly enough it's often the case where it isn't the business owner's/executive's fault but the IT department or the other guy I replaced. But yeah. The attitude is generally to ignore it. Can't agree more re. PCI compliance though. It does have one use however: Making it impossible for a tiny business to implement their own payment system. I'm generally one guy meaning no QA or clean auditing and there is no way in hell I can negotiate reading the PCI specs and actually trying to keep in line with them at the same time. It's pretty much a requirement for it and any other non-trivial spec to have a separate guy that can read code auditing it. At least one guy.

      I'm not even saying that's a bad thing either. Tiny businesses often shouldn't be doing that anyway. Could go both ways I suppose.

      --
      http://lagg.me [lagg.me] 🗿
      • (Score: 1, Informative) by Anonymous Coward on Sunday September 21 2014, @06:17PM

        by Anonymous Coward on Sunday September 21 2014, @06:17PM (#96388)

        Can't agree more re. PCI compliance though. It does have one use however: Making it impossible for a tiny business to implement their own payment system.

        So just like software patents then, designed to make sure the too-big-to-fail fat cats never have to worry about anybody else eating their lunch while at the same time being absolutely useless for the stated purpose.

        This sure is the favorite card of the big fuckers, make the other guys business illegal...

        • (Score: 2) by kaszz on Sunday September 21 2014, @09:56PM

          by kaszz (4211) on Sunday September 21 2014, @09:56PM (#96475) Journal

          "This sure is the favorite card of the big fuckers, make the other guys business illegal..."

          Ask any FCC, EMC or RoHS loop hopper.. ;)

  • (Score: 3, Informative) by WizardFusion on Sunday September 21 2014, @01:57PM

    by WizardFusion (498) Subscriber Badge on Sunday September 21 2014, @01:57PM (#96318) Journal

    15+ years ago used to work for a DIY company in the UK (now no longer with us). They used to take customer orders over the internet, including credit card payments, then email the whole thing in plain text to the nearest store to make up and charge for that order.

    • (Score: 3, Funny) by Fnord666 on Sunday September 21 2014, @03:15PM

      by Fnord666 (652) on Sunday September 21 2014, @03:15PM (#96344) Homepage

      15+ years ago used to work for a DIY company in the UK (now no longer with us).

      Wait, what happened to the UK? Is this related to the whole Scotland thing? Did I miss something?

  • (Score: 2, Interesting) by Anonymous Coward on Sunday September 21 2014, @02:38PM

    by Anonymous Coward on Sunday September 21 2014, @02:38PM (#96334)

    Home Depot's CIO and EVP, Matt Carey, was hired in 2008; before that he had a 20-year career at Wal Mart with many key managerial responsibilities, followed by a 2 1/2 year stint at eBay. You'd think he'd be the guy to blame for this malware mess, the suit where "the buck stops here".

    But after reading this 2011 article [itbusinessedge.com], it's not so clear. It seems that CFO Carol Tome, who has been with Home Depot forever (across four CEO tenures), was calling the shots in IT and was the one getting the charges from CEO Francis Blake.

    It also seems that CEO Blake was most interested in cutting IT spending.

  • (Score: 3, Interesting) by McGruber on Sunday September 21 2014, @03:26PM

    by McGruber (3038) on Sunday September 21 2014, @03:26PM (#96345)

    Justin Ross Harris, a former HD developer, is facing murder charges in Cobb County, Georgia. His Preliminary Hearing was live-broadcast on an Atlanta television station. When I watched it, I was stunned by how little work he and his coworkers seemed to do.

    After watching cartoons with his child, then taking him out for breakfast, Harris eventually arrived at his office at about 10 AM. About 90 minutes later, he went out for a long lunch, with a carload of coworkers. After eating, the group stopped at a store to puchase some items. After lunch, Harris is at his desk for a few hours, but then he was out the door at 4 PM, off to watch a movie with some of his coworkers.

    The hearing documented that he put in, at most, about five hours at his desk. During those five hours, he was IMing women on dating sites and also IMing a couple coworkers about a small startup/consulting business they had.

    The Preliminary Hearing is on youtube: http://www.youtube.com/watch?v=A-tiBT_0nNg [youtube.com] Harris worked for Home Depot's ".com business" per a quote from the Home Depot Corporate Communications Manager in this CNN article:http://www.cnn.com/2014/06/26/justice/georgia-toddler-death-father/ [cnn.com]

    • (Score: 1, Interesting) by Anonymous Coward on Sunday September 21 2014, @03:45PM

      by Anonymous Coward on Sunday September 21 2014, @03:45PM (#96352)

      So what are you trying to say? To me this sounds like his bosses did not give a shit about his performance and did not require any. Seems an issue with management.

      • (Score: 0) by Anonymous Coward on Sunday September 21 2014, @04:29PM

        by Anonymous Coward on Sunday September 21 2014, @04:29PM (#96360)

        It is also just one guy. Who knows if he was the office slacker, or even just idling between projects after having put in 2 months of 60 hour weeks to hit a deadline. Extrapolating from one day at work by one guy is not a very good way to come to a meaningful understanding of really anything.