Home Depot Hack Turns Into Criminal Negligence Scandal



  • Continuing the discussion from Home Depot and Target Breaches Exploited Old WinXP Flaw:

    Full story here: http://blog.knowbe4.com/bid/397505/CyberheistNews-Vol-4-39-Home-Depot-Hack-Turns-Into-Criminal-Negligence-Scandal

    Relevant Excerpt:

    "...Ex-employees from the Home Depot IT technology group are now claiming that management of the retailer had been warned for years that their Point Of Sale systems were open to attack and did not act on these warnings. Several members of the Home Depot IT security team quit their jobs in protest.

    "It gets worse. In 2012, Home Depot management hired Ricky Joe Mitchell as their Senior IT security architect, apparently without doing their due diligence and background check. Turns out that Mitchell was fired from a company called EnerVest Operating where he sabotaged that company’s network for 30 days in an act of revenge.

    "It gets even worse. Mitchell was kept on the job at Home Depot even after his indictment a year later and remained in charge of Home Depot security until he finally pled guilty to federal charges Jan 2014.

    "Wait, we're not done yet. Things are worse than that. The same ex-employees claim that Home Depot relied on antivirus that was not being updated with new antivirus definitions, a version of Symantec AV purchased in 2007.

    "And here is the next epic fail. As we all know, to be PCI compliant, you need quarterly security scans, done by authorized third parties. However, vulnerability scans were only done irregularly, and most of the time only on a relatively small number of stores. A few IT security ex-employees said that their team was blocked from doing security audits on machines that handled customer data.

    "And finally, to add insult to injury, in a total disregard for best practices, the Home Depot didn’t run any kind of behavioral network monitoring, which means they were not able to detect any breaches and for instance see unusual files being exfiltrated from the network.

    "Now their PR team tried to paper over all this criminal negligence and claims that the company maintains "robust security systems", and that the malware was custom made and hard to detect. Yeah, right. I see another CEO being fired in the near future... "


    Just...wow. Actually considered putting this in the SideBar WTF, this is so bad.



  • @redwizard said:

    Actually considered putting this in the SideBar WTF

    Yeah, this is SideBar worthy.


  • FoxDev

    agree. this needs to be sidebar'd



  • I believe that this reaches the threshold for "tar and feather"



  • Also this: http://blog.knowbe4.com/bid/399706/Home-Depot-Hackers-Also-Steal-53-Million-Email-Addresses

    As if it wasn't bad enough to lose 56 million credit card accounts, now Home Depot has to admit it also lost 53 million email addresses. This gives the bad guys a fabulous opportunity to go spear-phishing with a Home Depot theme. What an epic fail.


  • Grade A Premium Asshole

    That is absolutely horrible. You can get by with that shit if you are a mom and pop burger stand in East Bumfuck, Idaho. By the time you get to multi-national corporation size, you need to have your shit together. They need to have their asses handed to them.



  • I wouldn't exactly call this negligence. This sounds more like criminal intent.



  • This post is deleted!


  • @chubertdev said:

    This sounds more like criminal intent.

    Home Depot's lead security engineer:

    Ricky Joe Mitchell, the former lead security engineer at Home Depot's stores, was convicted this spring of sabotaging the security network of his previous employer. He is now serving a four-year sentence in federal prison.

    When Mitchell learned he was going to be fired in June of 2012 from the oil and gas company EnerVest Operating, he “remotely accessed EnerVest’s computer systems and reset the company’s network servers to factory settings, essentially eliminating access to all the company’s data and applications for its eastern United States operations,” a Department of Justice spokesperson wrote in a release on his conviction. “Before his access to EnerVest’s offices could be terminated, Mitchell entered the office after business hours, disconnected critical pieces of…network equipment, and disabled the equipment’s cooling system.” As a result of his actions, the company permanently lost some of its data and spent hundreds of thousands of dollars repairing equipment and recovering historical data. It took a month to bring the company’s office back online, costing the company as much as $1 million in lost business.


  • Grade A Premium Asshole

    What a fucking asshole. No wonder they fired him. Good luck getting a job now that we are in an era where every company at least Google's your name before hiring you...



  • @Intercourse said:

    No wonder they fired him.

    I haven't seen anything that says why EnerVest fired him (but I haven't really gone looking for it, either). The sabotage occurred between the time he learned they were going to fire him and the time they actually did, according to that article.

    More interesting is that apparently Home Depot didn't fire him until he was actually convicted of the previous sabotage. AFAICT, he continued to have full responsibility for and access to HD's network even after he was indicted for network sabotage.


  • Grade A Premium Asshole

    @HardwareGeek said:

    I haven't seen anything that says why EnerVest fired him

    I phrased it poorly, but basically if he was a big enough asshole to do that, he is a big enough asshole to be fired for just being an asshole. 😄



  • @Intercourse said:

    What a (fornicating, not the fun kind) asshole. No wonder they fired him. Good luck getting a job now that we are in an era where every company except Home Depot at least Googles your name before hiring you...

    FTFY


  • Grade A Premium Asshole

    Yeah, he could always go back to work there. They take anyone apparently. ;)



  • @Intercourse said:

    Yeah, he could always go back to work there. They take anyone apparently. ;)

    "Why were you fired from your last job?"
    "You don't know?"
    "I tried to access those records, but the systems were unavailable for some reason."



  • @Intercourse said:

    he could always go back to work there

    In four years, or so, when he gets out of prison.


  • Grade A Premium Asshole

    @HardwareGeek said:

    In four years, or so, when he gets out of prison.

    If they will hire someone who is currently under indictment, an ex-con is nothing.



  • @Intercourse said:

    If they will hire someone who is currently under indictment

    The way I read that, I don't think they did. I could be wrong, but I think the events occurred in this order. I have no idea how much time elapsed between each event:

    1. Mitchell finds out EnerVest is going to fire him.
    2. He commits sabotage.
    3. He is fired.
    4. He is hired by HD.
    5. He is indicted.
    6. He is convicted.
    7. HD fires him. (Presumably; I haven't seen anything that discusses this.)
    8. He goes to prison.
    9. He gets out of prison.
    10. ???
    11. Profit!


  • @HardwareGeek said:

    Home Depot has to admit it also lost 53 million email addresses

    I've been getting 2-5 spam a day claiming to be from Home Depot for months - except, ironically, today.

    I'd like to think the bad guys think their cover's blown and they've moved on.


    Filed under: Got a bridge to sell...



  • @HardwareGeek said:

    More interesting is that apparently Home Depot didn't fire him until he was actually convicted of the previous sabotage.

    This is a fun one to speculate on. One possibility is that it might have something to do with jurisprudence — firing someone for being accused of a crime seems legally questionable. Or perhaps a more practical answer is that by the time they found out what he'd done, he already had their systems by the short & curlies, and they didn't dare fire him.



  • @Buddy said:

    firing someone for being accused of a crime seems legally questionable

    Yeah. Maybe they couldn't (or didn't want to risk) outright firing him, but it would be damned stupid not to take some action — at least paid administrative leave or something — to get him out of the office and unable to access the network. The few reports I've seen haven't had much detail of what he actually did at HD. Presumably, there is an investigation going on, and either they don't really have those details yet, or they aren't saying for legal (and/or PR) reasons.



  • @HardwareGeek said:

    Presumably, there is an investigation going on, and either they don't really have those details yet, or they aren't saying for legal (and/or PR) reasons.

    Or another thought is that maybe he was brought on specifically as a fall-guy. I mean, obviously no-one rational would conclude that someone who was hired two years ago was responsible for ten years of systematic incompetence, but if you look at it from a PR perspective, probably a lot of people who are only marginally interested in the case will glance over the article, see that

    I do not like the shit they try to teach me so I get bored and try to liven things up a bit.

    Rickdog 96-? Forever and beyond …

    quote, think “well, there's your problem”, and move on.



  • @Intercourse said:

    an ex-con is nothing

    Forgot to respond to this part of your post.

    True, perhaps, but my point was that he's not really available for employment for four-ish years. Hiring an ex-con is one thing (whether it's a good or bad idea depends on what it was convicted of and what you are hiring it for), but hiring people who are currently incarcerated is a bit problematic; they generally have difficulty getting to the office.


  • Grade A Premium Asshole

    You and your hair-splitting. If he were a motivated employee, he could make it happen.



  • @Intercourse said:

    If he were a motivated employee

    Oh he's motivated, just more in the black arts.


  • Discourse touched me in a no-no place

    @Buddy said:

    Or another thought is that maybe he was brought on specifically as a fall-guy.

    Possible, but “incompetence” is a more likely initial guess on the motivation front, at least until there's some evidence that says otherwise. The machiavellian approach takes much more conspiracy and outright effort and so people very rarely bother.



  • @Buddy said:

    This is a fun one to speculate on. One possibility is that it might have something to do with jurisprudence — firing someone for being accused of a crime seems legally questionable.

    Are you kidding me? This is the US of A, you can be fired for being overheard telling a crude joke to your friend. You can be fired for almost anything. Unless you're in a union. Or Catholic clergy.



  • Apparently Home Depot didn't.



  • @HardwareGeek said:

    but hiring people who are currently incarcerated is a bit problematic; they generally have difficulty getting to the office.

    pfft. He'd obviously just be "working from home"



  • Maybe the negligence refers to the work of their HR department.



  • @Intercourse said:

    By the time you get to multi-national corporation size, you need to have your shit together.

    You're cute.



  • @HardwareGeek said:

    Forgot to respond to this part of your post.

    True, perhaps, but my point was that he's not really available for employment for four-ish years. Hiring an ex-con is one thing (whether it's a good or bad idea depends on what it was convicted of and what you are hiring it for), but hiring people who are currently incarcerated is a bit problematic; they generally have difficulty getting to the office.


    Actually, it is strongly dependent on the type of conviction and the type of job. Good luck getting an accounting job (or related) with a conviction for financial fraud, for example (yes, I know it happens, but most places that aren't completely insane or into corporate self-harm will not hire such a person).


  • Grade A Premium Asshole

    @Maciejasjmj said:

    You're cute.

    Are you hitting on me?



  • @Steve_The_Cynic said:

    it is strongly dependent on the type of conviction and the type of job.

    Didn't I just say that?

    @Steve_The_Cynic said:

    @HardwareGeek said:
    whether it's a good or bad idea depends on what it was convicted of and what you are hiring it for
    Yes, I think I did.


  • FoxDev

    @Intercourse said:

    Are you hitting on me?

    looks like it from here.



  • @Steve_The_Cynic said:

    Good luck getting an accounting job (or related) with a conviction for financial fraud

    If a conviction prevents you from getting an accounting job, I've heard you can always apply for the Secretary of the Treasury position instead.



  • @HardwareGeek said:

    Didn't I just say that?

    @Steve_The_Cynic said:

    @HardwareGeek said:
    whether it's a good or bad idea depends on what it was convicted of and what you are hiring it for
    Yes, I think I did.

    No, I think you didn't. I said "strongly dependent", but you just said "depends" without the "strongly" part. Picky, I know, and maybe I'm just not admitting that I missed that part of what you said.

    Oops.


  • Fake News

    @mott555 said:

    If a conviction prevents you from getting an accounting job, I've heard you can always apply for the Secretary of the Treasury position instead.
    And as an added bonus, you can cheat on your taxes, blame tax prep software when you get called on it, and get a light tap on the wrist. America, Fuck Yeah!



  • And another big american company is attacked through some POS exploit:

    SP+, a company that provides parking, maintenance and security services to property owners, said on Friday that an unauthorized attacker gained access to its payment processing systems and was able to access customer names and payment card information.


Log in to reply