Home Depot's security breach that left 56 million credit card numbers and 53 million customer email addresses vulnerable was blamed by a Windows vulnerability. When executives at the home improvement retailer learned of cause of the breach, those executives were quickly given replacement MacBook laptops and iPhones
According to a report on the WSJ, hackers gained access via a Windows vulnerability, allowing them to target 7,500 self checkout terminals:
Once inside Home Depot's systems after gaining credentials from the outside vendor, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company's more secure main computer network by exploiting a vulnerability in Microsoft Corp. 's Windows operating system, the people briefed on the investigation said.
The vulnerability had since been patched by Microsoft, but still came too late.
As Home Depot was investigating the breach, their IT team bought senior executives iPhones and MacBooks:
Four days after the company had been alerted, Home Depot's investigators discovered evidence that malware had been deleted from a store computer. The company was able to confirm a breach, but it couldn't be sure its critical business information was out of danger. An IT employee bought two dozen new, secure iPhones and MacBooks for senior executives, who referred to their new devices as "Bat phones."
Source: WSJ
Reader comments
Home Depot switches execs to iPhones, MacBooks as it blames Windows for massive breach
TIL All of Home Depot runs off of the execs laptops.
So I assume they'll be switching to OS X embedded Oh wait.....
Blame Microsoft because why, they didn't bother upgrading from Windows XP?
Posted via the iMore App for Android
Most PoS stuff and warehouse systems run in Windows Embedded. which is Windows XP.
Which proves his point. And doesn't it bother anyone that they only changed the executive devices? Are they implying that is where the information is stored??? Hmm.
Posted from the amazing whatever device I can afford because I'm a broke college kid.
That is where the most proprietary and important corporate info is stored. They don't really care about customer email addresses and credit card numbers.
Sent from the iMore App
Um, ya, I would imagine they DO care. It's a PR nightmare.
Well, in order to get a decision like a switch to Apple products approved at a corporate level, you NEED the buy in of the Execs. Get their buy in and then it will trickle down.
Windows Embedded has a version based off of Windows 7, which I belive was not susceptible to this flaw. So that doesn't really fix this problem. Plus, why would it matter what OS executives are using when the problem was with the servers storing customer data?
Windows XP isn't updated anymore right? So it had to be at least Vista they were using.
Nope, a lot of places still use xp regardless of that. My school is just now starting the switch to 7 after how many months now? But this is after 2 semesters of people private information being stored there.
Posted from the amazing whatever device I can afford because I'm a broke college kid.
Does your school know that windows 7 is going to be EOL (End of Life) next year (2015)?
That's the end of mainstream support, with new features, optimizations and other consumer improvements. This includes, but isn't limited to: Warranty claims, design improvements and "no-charge incident support."
However, /security/ updates (the stuff actually relevant to a security breach) will continue through Jan 2020.
Windows POS Ready or whatever they call embedded XP these days will continue getting updates until 2019. That's why some are hacking into those updates for their older XP machines.
One (or some) of the execs was probably pro-Apple and used this as an excuse to make his case. Smart move.
Sent from the iMore App
They call them "bat phones" according to the article. Yep, very smart people we are talking about here, people who are totally current on today's technology I'm sure.
While I am happy for them getting better equipment because of the incident, there is really no connection here...
And while it makes zero sense to run something as rudimentary as checkout terminals on something as needlessly complex and vulnerable as Windows, this should really not cause such catastrophic failure if the network is designed properly. How, in 2014, terminals let to third parties like vendors can even get on the same internal network as critical internal data, is beyond me. With virtualization being affordable and even dirt cheap switches supporting VLANs now, this should not ever be something the OS can cause - if there is a way, somebody will eventually find it. I hope they reserve some money for looking into their entire network and software architecture as well.
This is from Anandtech article. "The Home Depot's former chief executive Mr. Blake, states to The Wall Street Journal:
If we rewind the tape, our security systems could have been better. Data security just wasn’t high enough in our mission statement."
So they blame Windows, make a big deal and point out to the public they bought Iphones and Mac's. Even though it was there fault for not updating and taking customer data security seriously.
I am a Windows admin and I use Apple stuff. This falls on Home Depot IT for not updating and or moving to a new embedded OS when they should. They even stated it started from a 3rd party network that had access into the Home Depot network and was not segregated off. Really, stop blaming Windows and own up.
You nailed it, those of us in IT know this well. Security is everything today, job #1. If you are in IT and it isn't, you won't be in IT for much longer.
"Blames Windows for massive breach"
Wow, what a bunch of blame-shifters. The cause of the breach was poorly implemented security protocols and lack of common sense. The same as with the Target breach.
Why not Android and Linux? Oh wait, they're execs and wanted some new toys.
You only switch to Android if you want to have a lot of keyloggers and malware, not if you want to avoid it.
Linux would have been nice, but I doubt the execs are geeky enough to use it.
There's nothing wrong with breaking away from the ball and chain of MS. There is nothing more painful than having to use a Windows PC at work after enjoying my MacBook at home.
Keyloggers and malware??? Lmao.. Go restart your macbook and ibend
Posted via the iMore App for Android
The truth hurts don't it. Like 99+% of mobile malware being on Android. But thanks for trolling the iMore forums. Go stick your droid where it belongs.
You listen to Rene too much...
Posted via the iMore App for Android
Ironic that a Google search will tell you that 99% of mobile malware has targeted android.
Ha, an android user in here?, they love it in Apple forums.
Sent from the iMore App
It's very painful using OSX and not being able to run the programs I want.
Posted via iMore App
I know. My favorite keyboard loggers just won't run on OSX. Bummer.
Lol there's a thing called Antivirus and there's lots of free ones which you barely have to do any maintenance with. Anyways, what fool doesn't know if what they are downloading is a virus? It's obvious.
Yeah, there's no connection here. The breach was with their PoS and servers, yes? So the executives were like "um...yeah...it's that Windows! Give us new phones and laptops please! Also, we think that Ford had something to do with it too, so upgrade our company cars to Mercedes please. This should fix everything".
I've been to Home Depot a few months ago. I couldn't believe how antiquated the system the salesman was using. It looked very much like it was running off DOS, not Windows of any kind. Appearances can be deceiving.
It seems obvious from the action taken that they assume the initial breach was caused by an executive — someone with Cross pens in their pocket protector — brought the initial breach in with him from home, and that it would be less likely to happen again if they were using Apple devices. But, who knows?
Executives are the least intelligent in the Bunch!!!
Sent from the iMore App
Jim has a very interesting "take," and one which didn't occur to me. I remain astounded at the number of major corporate entities, most of which hold personal and private data, not theirs, but OURS, still running XP. Why? Because of the way they define and explain profits:
Profits=total income minus total costs. That part's ok. It's in the details: if total "income" continues to decline, perhaps because they are trying to sell something that nobody wants to buy, the executives' bright idea isn't to sell something people do want to buy. It's to cut expenses. And in my experience, the first thing that they cut is IT and security. Well nowadays, they also try to cut benefits but that's a discussion for another story.
True story: in January I changed insurance and started going to Kaiser in Northern Virginia. Imagine my shock, when I arrived at my first doctors appointment, to see their desktop computers booting up flashing the old windows XP screen.
So they go from a company with over 20+ years of dealing with security to a company that have almost zero experience dealing with security lol
smart move - i guess
What? A previous news item says Home Depot was going to switch to the iPhone from BlackBerry in Feb. 2013 when Home Depot was worried that RIM was in danger...
http://www.reuters.com/article/2013/02/11/us-blackberry-homedepot-shares...
Home Depot needs to get its act together when it comes to IT security and stop blaming others for their own problems.
Here, Here!!!!
Sent from the iMore App
Brilliant move Home Depot, good luck getting that Apple point-of-sale system operating. Oh what's that, you aren't updating the insecure systems in question to Apple? That's OK, iMore will bite on the story anyway.
They blame Microsoft for Home Depot not wanting to spend the money to upgrade??, this isn't the software manufacturers fault but the CHEAP ASS execs at Home Depot, and by the way they start their employees off at $8.00 an hour, so who is the Cheap Ass now?
Sent from the iMore App
Right. If only they had paid their genius cashiers $10 an hour, the hacks would never have happened.
Since when does changing the endpoint eliminate vulnerabilities in the network/server infrastructure? Lol, this is what happens when Senior Management teams are given too much technical information and lack faith in their advisers.
I call BS. Home Depot switched all execs and store managers on up to iPhones two years ago.
don't ya just love that arrogance. At the same time they are going on about 'security' they continue to use the same insecure system that they always have with one exception...
...because they love their customers and the security of their customers they have turned off the NFC and decided that the sole mobile payment form that they will be taking is PayPal from now on. When I emailed Home Depot to ask why suddenly I couldn't use either Google Wallet or Apple Pay when I had used Google Wallet a day or two before my iPhone arrived and I switched back from Android. It showed then a nice little splash screen saying NFC available and an option to touch the screen and use PayPal. The NFC was switched off last time I was in. The response I received was, "We value the security of our customer's data and are always reviewing the payment interface to protect the customers!", so they feel that using a secure NFC payment method is less secure than someone standing over your shoulder watching you type in a cell phone number and a pin number to pay through PayPal -- it gives me a warm happy glow inside just thinking about the cozy deal that Home Depot has done with PayPal to form an exclusivity deal and push out NFC. I responded back to Home Depot reflecting this feeling with a special note that it was purely sarcastic and not meant as a compliment and suggested that maybe they started a program of replacing the antiquated Point of Sale systems that are dilapidated, constantly crashing leaving customers waiting 10 or more minutes while it restarts and connects to the network followed by another 10 minutes after while the little card reader box boots itself back up.
God I hate these hypocrite idiots that run businesses and use their blunders to spend money on new devices for the management level while the biggest problem is that their point of sale systems are an open doorway into their network and remain easily accessible and still open. The home Depot locally doesn't even have a user id & password on their Point of Sale that is secure. They have it written on a board next to the checkout.