Home Depot breach shows vulnerability of external vendors

In September retailer Home Depot announced a large-scale breach of customer credit-card data, affecting as many as 56 million consumers. The attack bears strong similarities to the theft of customer data Target suffered late last year, particularly because the Home Depot breach also involved compromised point-of-sale systems. Home Depot subsequently reported that the data stolen in the attack includes tens of millions of customer email addresses, making it seem very likely that shoppers who made purchases at Home Depot during the five-month period when the attack was underway may be targets in phishing scams at some point in the future. The fact that the point-of-sale malware that attackers were able to install at Home Depot went undetected for such a long time provides some evidence to support media reports and comments attributed to former Home Depot employees that the company didn’t take information security very seriously (a statement that does not seem to apply to Target, despite the mistakes it made).

The Home Depot breach also resembles the Target incident in that the first avenue of attack was network credentials that had been provided to a third party – a HVAC contractor in Target’s case and an unspecified member of Home Depot’s vendor community. In both cases the attackers seem to have found less rigorous security (or perhaps security awareness) among external parties that had nonetheless been granted access to the companies’ networks. Given the large number of partners and external vendors with whom these retailers work, it seems highly unlikely that Home Depot or Target imposes any type of rigorous security standards on third-party organizations. This is one area in which companies in sectors such as financial services or health care have more robust requirements, as external partners and business associates in these industries typically are bound by formal contractual agreements that at least require them to provide adequate safeguards for sensitive or confidential information. Similarly, federal government agencies often require third-party service providers to either attest or actual demonstrate that they have appropriate security measures in place as a condition of doing business with the government. While it may not be reasonable to expect external partners to adhere to the same level of protection as major retailers, if reported accounts are accurate that third-party credentials were obtained through phishing or other social engineering methods, then requiring such vendors to at least undergo basic security awareness training help reduce the likelihood of attackers exploiting these business relationships.