Home Depot traces credit card data hack to supplier compromise

US retailer Home Depot reveals its recent data breach was linked to a compromised supplier’s credentials

US retailer Home Depot said it has traced the world’s second largest theft of credit card details from its systems back to a supplier’s compromised username and password.

In September 2014, the retailer confirmed that about 56 million payment card records had been compromised, but now says 53 million email addresses were also stolen.

In the latest update on the investigation into the breach, Home Depot said the file containing the email addresses did not contain passwords or other sensitive personal information.

However, Home Depot warned customers to guard against phishing attacks using the email addresses to trick customers into revealing personal information.

Although Home Depot has not identified the supplier linked to the breach, the revelation highlighted the importance of information security throughout the supply chain.

This is the second time a major data breach at a US retailer has been linked to a compromised supplier.

Attackers used stolen supplier credentials to access the corporate network of US retailer Target in December 2013. The hackers accessed 40 million payment card records and the personal data of 70 million customers.

Some payment card industry experts believe due diligence in the supply chain must become a key business operations skill, and it must include information security.


PCI DSS and third-part responsibility

The increasing compromise of suppliers to merchants is a worrying trend, said the Payment Card Industry Security Standards Council (PCI SSC).

The latest version of the Payment Card Industry’s Data Security Standard (PCI DSS) – which becomes mandatory for merchants on 1 January 2015 – places more emphasis on supply chain security.

While PCI DSS V2.0 has some elements of supply chain security, V3.0 is much clearer and includes requirements around third-party risk management and the responsibilities of third parties themselves.

“Version 3.0 puts a greater focus on trying to improve the security of third-party service providers,” PCI SSC European director Jeremy King told Computer Weekly in October 2014. 

“It is in data transfers between merchants and third parties where we are seeing of lot of the compromises and breaches occurring.”

The PCI SSC expects merchants will increasingly require third-party providers to achieve PCI DSS compliance in their own right.

“At the very least, we expect them to require suppliers to understand PCI DSS requirements and have appropriate measures in place for securing the data that comes to them,” said King.

Managing supplier risk requires comprehensive due diligence, particularly in the opening stages of a relationship, said Dave Clemente, research analyst at the Information Security Forum.

“Ultimately the companies that remain competitive are those that adapt their resources to the exponentially growing challenges of information risk,” Clemente said.

Early detection

Seculert’s CTO and co-founder Aviv Raff said Home Depot's data breach shows there are too many blind spots to prevent an attack.

“In this case, the attacker was able to jump from a third-party, vendor-specific environment to the corporate environment using a zero-day vulnerability in Microsoft Windows,” Raff said.

Raff said Home Depot took over 5 months to detect the attack. “If you can not only evade detection on the way in, but live there for five months, it’s more like a blind cavern than a blind spot.”

Raff said that Home Depot – like other retailers that have been breached – focused more on trying to prevent an attack than trying to detect an active compromise. 

“We now see more and more enterprises moving towards early detection of compromised devices in their network, before an incident becomes a breach,” he said.

Stronger authentication

Incapsula's CEO and co-founder Marc Gaffan said Home Depot's data breach highlighted the vulnerability of passwords.

“Everyone in IT knows strong authentication is the answer. So why aren’t we rolling it out? There is a general sentiment that implementing strong authentication is difficult, but it’s not anymore,” Gaffan said.

According to Gaffan, two-factor authentication is a straightforward replacement for the password and not too complicated to put in place for IT staff and contractors working on sensitive systems.

“Once we see broader adoption and implementation of two-factor authentication, we should also see a decrease in data theft,” he said.

Fido's open authentication protocol

Technology industry consortium, the Fido Alliance, is dedicated to improving authentication online and is close to publishing a final specification for an open authentication protocol.

In February 2014, the Fido Alliance published the draft Online Security Transaction Protocol (OSTP), which is aimed at eliminating passwords by enabling interoperability between strong authentication devices.

Based on the draft specification, members of the alliance have developed 35 “Fido-Ready” products, including client-server products from Nok Nok Labs.

Google announced the most recent “Fido-ready” product with the release of its USB Security Key based on Fido’s universal second-factor authentication (U2F) specification.

Google Chrome was the first web browser to support Fido Alliance authentication standards.

Once the final specification is published, the Fido Alliance expects to see more products and services based on the password-killing protocol.

Fido Alliance members include heavyweights such as Google, PayPal, Microsoft, Amazon, Dell and the Alibaba Group.

Read more on Privacy and data protection

Data Center
Data Management