Lessons from Home Depot: Expect hackers to crack more retailers this holiday season

“The new details that Home Depot revealed Thursday about its data breach tell us a lot. We have come to a very real crossroads. Retailers have no choice. They must assume the perimeters of their computer networks WILL be breached,” Paula Rosenblum writes for Forbes. “Hackers continue to run one step ahead of retailers and their security experts and standards.”

“Home Depot, like Target before it, was compliant with industry standards, called PCI-DSS (Payment Card Industry Data Security Standard). In both cases, the bad guys entered the network perimeter by using a vendor’s login credentials,” Rosenblum writes. “Allowing vendors to access retailer networks is not a bad thing in and of itself. It has become more and more common for retailers to implement these ‘Vendor Portals.’ It saves both retailers and suppliers time and money on billing, information sharing and standards reviews. PCI-DSS does indeed specify that vendor portals must be separated from internal networks. And Home Depot had done so. But in this case, the bad guys exploited a hole in the Microsoft MSFT +1.71% Windows Operating System (most likely on a server) to “hop” across networks. Microsoft later patched that hole, but for Home Depot (and who knows who else!) the damage was done.”

MacDailyNews Take: Microsoft Windows. The gift that keeps on giving. Like dysentery.

“What should consumers do?” Rosenblum writes. “Don’t expose your credit card information to retailers at all. Yes, that means using Apple Pay…”

Read more in the full article here.

MacDailyNews Take: CVS, Rite-Aid and any other retailers that have blocked Apple Pay are playing with fire. Lawsuits will flow forth against them should they become the next Target or Home Depot. Sleep tight, CVS et al.

Related articles:
Class action lawsuit brewing against retailers who block Apple Pay – November 6, 2014
What Apple Pay means to Bank of America: Security – November 6, 2014
Apple Pay is nirvana for (smart) retailers – November 6, 2014
Entrepreneur warns retailers, restaurants, bars: Do not wait, jump on the Apple Pay bandwagon ASAP – November 5, 2014
Apple Pay fuels usage of long-moribund Google Wallet – November 5, 2014
After CVS and Rite Aid blocked Apple Pay, Schubert law firm launches antitrust investigation – November 4, 2014
Sorry, Walmart, CVS, Rite-Aid et al. — Apple Pay and NFC have already won – November 4, 2014


  1. Are you listening, E*Trade? When are you going to be compatible with Apple Pay? My E*Trade debit and credit cards have been replaced twice now due to retailer system breaches. It’s a huge PITA each time, with canceled cards and mailing out replacements. It’s getting old quickly.

  2. As I stated before, companies who refuse to support Apple Pay will increasingly become targets of these kind of attacks because it will mean 100% of their transactions will equate to usable data for successful hackers, while stores accepting Apple Pay should see a shift in more use with that system meaning a smaller percentage of their sales will be usable to hackers. Hackers will learn that these companies are less valuable to hack because they do not store credit card details for a growing percentage of their transactions.

  3. Not only have many of these retailers been hacked, but I expect the hackers will specifically target MCX members this holiday season seeing as one major breach has already happened. I think it will be a race to see who can get into their systems first.

  4. Pathetic, isn’t it: Home Depot, like Target before it, was compliant with industry standards, called PCI-DSS (Payment Card Industry Data Security Standard).

    Allowing vendors to access retailer networks is not a bad thing in and of itself…

    No, not if you know how to administer a network and force your vendors to be GUESTS ONLY! Why is that hard?

    And let’s be clear here: ALL of these companies have been fully aware of the specific malware being used to breach retail company networks. The DELIBERATELY ignored it, with the obvious inevitable consequences.

    This isn’t just a security problem: It’s an INCOMPETENT MANAGEMENT PROBLEM. Shout it out! That’s why the CEO of Target got the boot. There are more moronic CEOs to follow, not to mention CIOs…

    Then there’s that other inconceivably still active culprit: Windows XP Embedded. OMFG catch up retail world. You are enabling your own self-destruction, that resounding theme of our current age of bad biznizz.

  5. Here’s my strategy …

    I reported all cards that could be loaded into Apple Pay as “lost”. The banks cancelled old cards, issued new card with new numbers. So any old number that is being stored in a store’s database, or online, is now useless.

    Entered new cards into Apple Pay, then put the card in my safe.

    I then went and opened up a secondary FREE checking account at my Bank, and got a DEBIT only card for that account. No overdraft on the card, it can only be authorized for the amount of money in the account at that time.

    If I can use Apple Pay – I do.

    If I can’t, I use the secondary checking Debit card – I keep the balance on the card as close to zero as possible. When I need it, I fire up Safari on my iPhone, transfer money from primary account to secondary account, then use the Debit card. If which ever store I’m using the Debit card at, gets hacked, the odds of someone getting a lot of money are VERY low.

    Until Apple Pay is accepted everywhere, this is the only way I can think of to keep potential exposure to a minimum.

      1. In a sense, I do use cash, because the majority of my purchases are made via a debit card. The remainder made on credit cards are paid off online at the end of the week so that I don’t pay interest on any purchases.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.