COVID-19 Update

A Third-Party Vendor Cost Home Depot $179 Million in Data Breach

Home Depot has shelled out more than $179 million to resolve a 2014 data breach that was a result of a third-party vendor’s security lapse.

Leave a Comment

As AV-over-IP and remote management solutions continue to proliferate the audiovisual industry, robust cybersecurity practices are becoming even more critical.

Like IT companies and managed service providers (MSPs), system integrators hold the keys to the networks of hundreds – sometimes thousands – of organizations. They represent a big target that could yield a big payday if a ransomware attack is successful.

Just ask Home Depot, which on Wednesday agreed to a massive $17.5 million settlement with the attorneys general of 46 states and the District of Columbia over a 2014 data breach.

According to the company, hackers gained access to the perimeter of the company’s network using stolen credentials from an undisclosed third-party vendor.

Then, the criminals acquired elevated rights within the network that allowed them to deploy unique, custom-built malware on self-checkout systems in the U.S. and Canada.

Payment card data along with 53 million email addresses were taken during the breach, according to the company.

Although Home Depot agreed to pay $17.5 million, the total cost of the data breach is at leas $179 million due to settlements with financial institutions and other remediation costs.

This follows a similar attack against the similarly giant retailer Target, which in 2017 agreed to an $18.5 million settlement after hackers gained access to the company’s network through an HVAC vendor that had remote access to systems installed at Target stores.

Read Next: Don’t Be The Next Data Breach Scapegoat

In addition to the massive amount of money it has to cough up to resolve these issues, Home Depot also agreed to hire a chief information security officer, offer security training to employees, and take several other steps to shore up the company’s network.

Court records and other media reports don’t identify the nature of the third-party vendor, and instead shed light on Home Depot’s lack of cybersecurity wherewithal.

However, it’s the third-party vendor that was the original target here, seemingly falling victim to a phishing attack or just practicing poor password security.

Here are some simple steps your integration firm can take to avoid being the next scapegoat of a multi-million dollar data breach:

  • Use a unique password – especially at work. Cybercriminals know that we tend to use the same password for every account, and that isn’t necessarily smart. Mix it up and use stronger passwords, especially for your work accounts.
  • Enable two-factor authentication to make it harder for hackers to compromise your accounts. This requires users to enter a one-time code in addition to their login credentials.
  • Conduct phishing tests on your employees. A phishing email should be relatively easy to identify, but these attacks are still successful. Make sure your employees know what a phishing attempt looks like and conduct regular tests to see where your vulnerabilities are.
  • Make sure systems are up to date with the latest security patches. If human error leads to an attack, security solutions built into software we use every day should be able to at least alert you to an attack.
  • Hire a dedicated information security chief. Cyberattacks are not slowing down anytime soon, but you can’t spend your time on protecting your company and clients while you’re also trying to win new contracts. Hiring a trained cybersecurity person can give you peace of mind that your company is secure while you focus on what you do best.

For the last few months, cybersecurity officials and leading IT companies have been warning about an increase in cyber attacks, and they’re getting more sophisticated.

It’s paramount that you acknowledge these threats and act accordingly – or else it will cost you big.

CoronaVirus Update