Security Breach at Home Depot: A Symptom of a Larger Problem in Corporate America
The Largest Data Breach in Retail History
By now, just about everyone has heard about the data breach at The Home Depot that resulted in the theft of some 56 million debit/credit cards. The breach was made possible by malware (a virus) installed on Home Depot computers that went undetected for over 5 months.
I’ve already had 2 of my cards replaced by my banks as a precaution since they were used at The Home Depot during the timeframe in which their computers were infected. Luckily for me, I’ve yet to see any fraudulent charges appear.
The Big Picture
Hackers have been around as long as computers and businesses should know this. As more details about what happened in this particular case come to surface, it becomes clear that the customers of The Home Depot are really the victims of corporate ignorance. The New York Times reports that ex-employees of The Home Depot had been warning them for years that their systems were vulnerable. What really happened at The Home Depot is the same thing that’s been happening for years at other companies: IT department budgets being determined by people who have no IT background or basic understanding of what happens behind the scenes to keep the company computers safe.
Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.” ~The New York Times
A recent article by The Huffington Post stated that security employees had raised flags to management about the lack of encryption on credit card information but they refused to address their concerns. Over the last few years, many of the security staff left the job due to the unwillingness of management to adhere to industry standards for protecting consumer information.
Most people might never see the connection between janitorial services and IT services but in my adult professional life as a big box retail store manager and now as an IT Professional for the Department of Defense, I’ve learned that these are the 2 services that typically get cut or understaffed because they are invisible to both the customer and to corporate executives. They’re also the services that you can skip over for a few days with minimal disruption to the business. Corporate policies designed to maximize profit and executed by senior level suits typically leave these invisible services lacking in equipment, training, & adequate staff. Ignoring these areas for long periods of time will result in a growing backlog of work that becomes neglected as other daily tasks continue to take precedence.
Stepping Over Dollars to Pick up Nickels
When I was a retail grocery store manager, if we had to cut back hours to make our budget for the week, the first thing we cut was the folks doing the cleaning. You could get away without cleaning a bathroom for a day or two and hope that the following week you’d have the money available to catch up. Once you made that tighter budget, your bosses who worked maybe hundreds of miles away would expect you to make it week after week and before you know it, you’ve got no cleaning staff at all. Months later when you get a senior executive visiting your store they notice how bad it looks and wonder how things got this bad. By the time this happens it’s too late; too many customers have taken notice and your sales are now suffering because people aren’t shopping in your store.
The same thing happens in the IT world. When an Army organization that I support decided to arbitrarily cut their IT staff from 3 to 1, it wasn’t long before they began to miss project deadlines because their engineers didn’t have the proper level of computer support. The IT supervisors who made the decision to cut staff hadn’t reviewed any of their support tickets or project files over the previous 18 months. By the time they realized how far they were falling behind because of computers not getting fixed, the 1 remaining IT guy (now being pulled in multiple directions all day long) was looking for another job and the organization had already lost contracts and customers.
When senior-level executives log into their work computers or make VPN connections from home, they expect everything to work without thinking how many hours go into having those technologies available to them. They don’t think about how many security patches are applied after hours or how many data center hard drives have to be replaced regularly.
How to Solve The Issue: Autonomy for Invisible Services
A maintenance supervisor for SuperValu once told me, “You can’t hold maintenance department to a budget, if something breaks you have to fix it. You can’t just not fix a broken toilet and expect business to continue as if nothing is wrong”. Corporations need to learn that IT is no different – you can’t budget down to the penny because sometimes things just break, and if they don’t break, they need maintenance and monitoring. Nobody knows when a new virus is going to hit or when a hard drive is going to fail.
Just like any other employees, IT workers take pride in doing a good job. If they don’t have the tools for the job, they’ll leave and go work for your competitor. Even worse, they might stay and just not do their job out of frustration. From a legal standpoint, The Home Depot (and other offenders) should be held liable for all direct and indirect financial damages from these types of attacks especially when there is evidence that they refused to do their due diligence in protecting consumer information.