Skip to main content

Home Depot blames security breach on Windows, senior executives given new MacBooks and iPhones

Home Depot Windows

Earlier this week, The Wall Street Journal published an in-depth look at The Home Depot’s recent security breach of its payment data systems, in which 56 million credit card accounts and 53 million email addresses of customers were compromised. A root cause of the security breach: a Windows vulnerability in the retailer’s main computer network.

“Once inside Home Depot’s systems after gaining credentials from the outside vendor, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network by exploiting a vulnerability in Microsoft Corp.’s Windows operating system, the people briefed on the investigation said,” writes the WSJ’s Shelly Banjo.

The report claims that while Microsoft did issue a security patch after the breach began, which was installed by The Home Depot, the fix arrived too late. According to sources familiar with the investigation, the hackers already had the ability to move across The Home Depot’s systems, including its point-of-sale system, as if they were high-level employees.

The report unravels a lot of details related to how the security breach played out, with one anecdote that I found particularly interesting. Following the breach, an IT employee allegedly purchased two dozen new MacBooks and iPhones for senior executives at The Home Depot, indicating that the home-improvement retailer may have lost at least some confidence in its Microsoft-based systems.

MacBooks and iPhones have faced their fair share of security vulnerabilities over the past few years, although recent studies conducted by Kaspersky Labs and similar firms have proven that both devices remain highly secure platforms in terms of protection against malware and other threats. But whether shiny new Macs and iPhones in The Home Depot’s boardroom will help it prevent another massive security breach remains to be seen.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. fredhstein - 9 years ago

    Wow. Think about how this could play out as IBM resells Apple products and Apple Care. Could be big when you consider the charge-back policies of most enterprise IT departments.

  2. Edison Wrzosek - 9 years ago

    Honestly, this put a smile on my face… It’s about time retailers begin realizing that Microsoft’s OS is an old, bloated, crap OS with more security holes in it than Swiss Cheese.

  3. braytonak - 9 years ago

    Sounds like someone taking advantage of the opportunity for a knee-jerk approval of new toys that will make people think they’re doing ‘something’ about the situation. Seriously, adding 24 Macs and iPhones is not going to do anything for the company. Apple is also not known to cater to enterprise management needs, so this is just fluff. Sure, they could potentially skirt some Microsoft licensing with this, but they just need to give their IT the support they need to secure the environment properly instead of deluding themselves that they don’t need security to sell hammers (with credit cards.)

    • Mosha - 9 years ago

      Too right, just fluff…wait, Mac (OSX) and iPhone/iPad (iOS) supports the largest and most valuable corporation in the world (AAPL, Apple). Please tell me again how they can’t cater to enterprise management needs.

      • braytonak - 9 years ago

        It’s not that they can’t, just that they don’t. Apple can utilize whatever they want in-house, even if that means eating their own products and custom applications (dog fooding.) They don’t, however, offer enterprise-level services and support to other enterprises. In other words, you’re not going to see HD replace their Microsoft infrastructure with Apple products.

        Basically, Apple is a consumer product company, not an enterprise company. The fact that their products can be used in an enterprise doesn’t mean that the enterprise can be built upon them without risk as Apple changes directions too fast for an enterprise. If HD were to turn their backs on Microsoft infrastructure they’d more wisely turn to *nix.

        I don’t recall seeing anything yet coming out of the IBM partnership and that even sounded more like IBM assisting with integrated fleets of iPads with custom applications.

        This little purchase isn’t any kind of win for Team Apple, unfortunately.

      • braytonak - 9 years ago

        I’ve read (multiple times) that Apple uses Azure and Amazon Cloud Services to run iCloud, just as an example of how their own products can’t really drive an entire enterprise.

      • Swordmaker - 9 years ago

        Azure and AMAZON Cloud Services are used because Apple has not completed enough of their own server farms to service all of their own customers, so they contract it out. I hear it’s about 20%.

      • WaveMedia (@WaveMedia) - 9 years ago

        This is why IBM is an important factor now. They’re doing the enterprise stuff for them.

      • ctyrider (@ctyrider) - 9 years ago

        @braytonak – you do know everything you just said is bunk, right? There are plenty of multi-billion dollar Fortune-100s with IT Departments which support fleets of Apple products used by employees. Google is a great example – they support tens of thousands of Macs used by internal staff. If you search around – they even did a public presentation on how they do it, and what tools they use (hint – lot of it is open source).

        Sure, Apple doesn’t *focus* on Enterprise, as that’s now where bulk of their revenue comes from. But that doesn’t mean that Windows must be the only choice for Enterprises in this day and age. Trouble is – majority of Enterprise IT is just too dumb and lazy, and they are happy to hind behind Microsoft support contracts and bloated off-the-shelf software.

      • Mosha - 9 years ago

        This kid…

      • Mike Knopp (@mknopp) - 9 years ago

        @braytonak

        “If HD were to turn their backs on Microsoft infrastructure they’d more wisely turn to *nix. ”

        You mean like OSX? Which is one of the few Unix 03 certified systems in the world. People tend to forget that under the hood OSX is a fully certified Unix system. Now, I am not sure if Yosemite is certified yet, I would guess that there is a delay between release and certification, but for corporate customers that isn’t as big of a deal since many corporations wait to upgrade OS.

    • James A Thompson - 9 years ago

      @braytonak,

      Support IS necessary for Microsoft windows because your NEED it.
      “Windows REQUIRES FULL TIME SUPPORT”

      After a company takes the time to replace their Windowz desktops with either Mac OS or Linux, there’s not as much need for support.

      A friend of mine has his own business providing support for small businesses. I asked him “Why he didn’t promote Mac OS or Linux to his clients?” He simply stated: “Then they won’t need me as much, I won’t make any money.”

      Remember the main reason you need support is when something doesn’t work, or when your have a virus/Trojan, LOL Virus…

      It’s about time that enterprise users realize that they are paying for support that is only necessary because, “Windows REQUIRES FULL TIME SUPPORT”.

  4. optimaximal1 - 9 years ago

    Total rubbish.

    This sounds like the IT department saving face and the company itself announcing the purchase of Apple hardware as a ‘media dodge’ to make it seem the problem has gone away.

    If they’d done their security properly, it wouldn’t matter if they were using a Windows network or not – holes in corporate networks are often a result of lax security protocols. At the end of the day, some exec. has likely had a phone/laptop stolen with either plaintext credentials available (passwords.doc in the Documents folder?) or a VPN connection, neither of which will actually be mitigated by a Mac…

    • Air Burt - 9 years ago

      Totally missed that bit about the hackers using a Windows vulnerability to get access. Logic is lost among you apologists.

  5. Brian Erdelyi - 9 years ago

    I agree with Optimaximal1 and Braytonak.

    Although I prefer Apple products, I think it’s a stretch to think that this would have prevented the breach. Based on the details in this article the breach was a result of “gaining credentials from an outside vendor”, “Microsoft did issue a security patch after the breach began” and “hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network”.

    How is any Apple product going to protect you (better than Windows) if hackers have already obtained credentials?

    How is any Apple product going to protect you (better than Windows) if you have a flat network, poor network segmentation or allow insecure/inapproriate services into your more secure main computer network?

    Zero day vulnerabilities can be found in any product. I do believe that Apple may have a better track record here, however, the tools to manage large scale deployments of desktops and servers (particularly software patches and configurations) are far more robust and mature on Windows.

  6. dennyc69 - 9 years ago

    Personally, whatever the reason for how they got in and with what is now a moot point. Microsoft bares a lot of the the responsibility because they didn’t challenge their platform enough to see the loop holes that were created in time. Just maybe Microsoft needs to spend more time on their next OS finding out where the bugs are, instead of trying to push a yearly release cycle to keep up with the Joneses.

    On the other side of that coin is the Home Depot IT department who didn’t challenge their own POS Systems well enough. They left an a walkway wide open for the hackers to stroll on in and take what they wanted and put their customers at risk.

    I don’t know of any computer software out there that isn’t 100% secure, and having an Apple vs Microsoft vs Linux vs whatever is pointless in my view. What needs to happen is a complete reimagining of how networks are laid out. Everyone goes to the same schools to learn the same things, and if you teach everyone the same stuff, your going to find a way to circumvent what your buddies are doing next to you. It’s time to evolve what we have already and take it to the next steps or were going to see stories like this for the next 50 years.

  7. Sterling Rose - 9 years ago

    And then they installed Windows 98 on them…

  8. edbellmcse - 9 years ago

    Interesting that they lay the blame on Microsoft – when the story clearly states that the hackers gained access to the system by using stolen vendor credentials.

    • Air Burt - 9 years ago

      …..and then used a Windows vulnerability to gain access to the “more secure” part.

      • edbellmcse - 9 years ago

        Hi Air Burt – While I agree with your comment, the blame doesn’t sit solely upon a Windows Vulnerability. Getting past the firewall and into an internal network is far more drastic (IMO). Considering that we do not know what the vulnerability was (I have not found where that was disclosed), we are unable to ascertain was it Microsoft’s fault or the Home Depot’s IT staff for not adequately patching the system?

      • edbellmcse - 9 years ago

        And now more information on how it happened – Honestly, this is inexcusable and pure incompetence on the IT/Security Staff http://www.businessweek.com/articles/2014-09-18/home-depot-hacked-wide-open

      • Air Burt - 9 years ago

        And nowhere did I say that Windows is completely to blame. There were multiple failures (mostly user error), but Windows can certainly take some of the blame for having a crappy firewall in the first place.

  9. vpndev - 9 years ago

    Getting away from Windows may indeed be a good move but is hardly sufficient.

    In no particular order, here are a few of the actions HD should take:
    1. hire a security-IT manager with a proven track record, and proven to be good
    2. segregate the POS network from general corporate networks. And severely restrict third-party (vendor access)
    3. activate the chip-card readers that are already in the POS devices. Yes – they are there next to the swipe-slot, but they are NOT active (I’ve tried, and I just get a message asking me to swipe ! D’oh !)

  10. Glen Othello - 9 years ago

    LOL at buying Apple products – only an idiot would use those overpriced POS – try Linux doofuses.

  11. Brian Bowes - 9 years ago

    I’ve been trying to find out exactly how a Windows flaw causes this when there should have been a legion of Firewalls, IPS/IDS systems, DLP systems and various other security measures in place to prevent this, most of which are LInux/Unix based. There are companies that provide real time threat management and response for VERY little cost considering the impact that a data breach like this actually causes (Trustwave, Dell Secureworks, Checkpoint). Even a compromised system within a fully secured network should be identifiable with the right utilities in place.

    But i guess it’s easier to blame MS and have Mac fanbois flip their shit for having another reason to spew bullshit about MS.

    I worked in a Mac shop before for almost 3 years and owned Macs for almost 7 years. This whole “they don’t need as much support” is a crock of shit. They need just as much support as any Windows system in an enterprise environment. Their “enterprise” level servers were the most unreliable piles of garbage that I’ve had the displeasure of having to administer in 20 years of IT.

    If it was a Windows vulnerability that caused the issue and the response is to put Macs and iPhones in the hands of execs instead of going completely hardcore about security it’s probably 1 or 2 idiots that caused the issue with a compromised system being brought into the environment or severe lack of security measures in place. Again, blame Windows…it’s clearly not the fault of some numpty idiot not having the right security measures in place who shouldn’t be working at the Home Depot.

    • vpndev - 9 years ago

      Brian: the Windows flaw (Win Embedded IIRC, which is just a repackaged and stripped XP) was crucial in allowing the malware to get a foothold on the POS devices.

      And, as you correctly point out, so was the lack of separation, lack of IPS/IDS etc etc. There’s plenty of blame to go around, including the hiring of an IT manager with insufficient experience and a compromised background.

      Buying a few Macs won’t solve this problem.

    • vpndev - 9 years ago

      p.s. there are indeed companies that do the monitoring you describe. And Target had one of those. And it detected the intrusion before any data was exfiltrated.

      But Target management didn’t act. Ultimately it was a management failure – not a technical one (although there were several of those).