Months of security warnings reportedly preceded Home Depot hacking.
More information has emerged on the Home Depot data breach, which the company confirmed on Sept. 8. The breach put as many as 56 million credit cards at risk—more than the 40 million affected by Target’s breach last year. Home Depot did not confirm the breach until almost a week after credit card data linked to its customers was already for sale on a black market Website.
It now appears Home Depot had the opportunity to take steps that could have potentially prevented or alerted it sooner to the breach. According to a report by Bloomberg, in the year before cybercriminals attacked Home Depot’s payment systems, the retailer experienced at least two smaller hacks, prompting the company’s security contractors to urge the company to strengthen its cyberdefenses by activating an important but unused feature of its security software that would have added a layer of protection to the retail terminals where customers swipe their cards—advice that was not heeded.
A person familiar with the investigation told Bloomberg that it’s not clear if activating this safeguard would have prevented the breach, as the attack did not hit stores’ registers, but experts agree it could have significantly increased the chances of detecting the malware.
The breach will cost Home Depot $62 million this year in recovery costs, including costs for call-center staffing and legal expenses. Insurance will cover $27 million of that cost, Bloomberg reported.
The hackers used custom-made software to evade detection, relying on tools that hadn’t been used in previous attacks, Home Depot said in a statement. The malicious software, which “is believed to have been present between April and September 2014,” has now been removed from the company’s systems.
As of Sept. 13, Home Depot announced it had completed a major security project, enhancing encryption in its U.S. stores. The same project will be finished at its Canadian stores by early 2015. Home Depot didn’t previously encrypt the customer card data on its registers and computers inside its stores, former information security managers told Bloomberg.
