Home Depot is facing claims it ignored security warnings from staff, who say prior to its loss of 56 million credit cards, it failed to update anti virus since 2007, did not consistently monitor its network for signs of attack, and failed to properly audit its eventually-hacked payment terminals.
The fixer-upper retail giant failed to conduct even basic adequate scans in line of the Payment Card Industry Data Security Standards (PCI DSS), former employees told the New York Times, with more than a dozen customer information databases unbelievably marked as off-limits to security staff.
Former unnamed security staff told the paper they were so concerned of the poor state of IT systems that they warned their friends to ‘use cash’ instead of credit cards.
They further contended the organisation ran a Symantec anti-virus product dated 2007 (it was unclear if the signature database was updated) and that executives rejected requests to improve the state of security.
Executives reportedly told pleading staff that “we sell hammers”.
The failings if true appear to place Home Depot in breach of PCI DSS which require regularly third party audits of security systems protecting card data. The Council has been asked for comment.
Home Depot was this year planning to deploy encryption across its payment systems and to roll out EMV credit card security but those projects came too late to stop the breach.
In 2012 Home Depot hired and promoted Ricky Joe Mitchell within its security ranks before he was in April sentenced to four years prison for performing a factory reset on his former employers’ servers.
Some estimates suggest the stolen credit cards being flogged online could resulting $3 billion in fraud.
Last week Home Depot admitted malware infected its PC-powered tills which were thought to be the self-checkout registers.