Phishing Used in Home Depot Data Breach

Posted by Geraldine Hunt on Thu, Dec 17th, 2020

Anti-phishing isn’t an option, it’s a necessity when it comes to protecting customer data. In one of the biggest data breaches to date, Home Depot has finally settled its lawsuits from consumer states and will pay $17.5 million in reparations. The data breach, which happened in 2014, involved similar attacks to that in the Target data breach in 2014. Over 56 million credit cards were stolen and ranks one of the largest data breaches in the last decade. The company estimates that the breach cost them approximately $179 million in legal fees, violations, reparations, and cleanup.

Cybersecurity Should Never Be Overlooked

In the subsequent US state lawsuits, Home Depot was criticized in its failure to stay compliant and keep resources secure from hackers. The start of the attack stemmed from stolen email addresses disclosed after a third-party vendor compromise. These email addresses were then used to send phishing emails to targeted employees.

Earlier in 2013, Target suffered from a similar method of attack after a third-party HVAC contractor with remote access to the internal network fell victim to a phishing attack. An employee at the HVAC contractor company opened a malware-laced attachment, which was then installed on the local device and used to steal credentials later used to install malware on Target’s point-of-sale (POS) machines that stored credit card data.

The Home Depot attack in 2014 had a similar yet different method. It too started with a phishing campaign, but stolen credentials were not enough for attackers to install malware on POS systems. Attackers used an unpatched Windows vulnerability to exploit self-checkout systems and install malware. The vulnerability was publicly available, and Microsoft had already released a patch for it. Home Depot IT staff failed to patch the systems until after malware had been installed.

To stay compliant, organizations must take every precaution necessary to reasonably protect from malware. By failing to patch vulnerable devices, Home Depot failed to perform reasonable cybersecurity actions against a known threat. Not only did they fail to properly patch systems, but Home Depot continually told the public that the threat had been contained when it had not.

 

Anti-Phishing Technology is Necessary to Protect Data

A newly published Symantec report found that over 65% of attacks use spear-phishing as a vector for targeted cyber-attacks. While many phishing attacks randomly send emails to a mass amount of recipients, spear-phishing targets specific users, mainly employees with high-privilege access to corporate network resources.

Credential theft is far less popular, as multi-factor authentication (MFA) makes it more difficult for attackers. Instead, spear-phishing targets specific employees with malware-ridden attachments. After an employee opens the malicious attachment, malware installs on the local device and often gives attackers remote access to the machine. In some instances, malware installed on one device can scan and infect other systems in worm-like behavior, which was the method used in the Home Depot attack.

If network monitoring applications don’t detect the malware, attackers can potentially have months to scan for sensitive data and slowly extract it from the local network to a remote server. These types of attacks can lead to the millions of financial records stolen and disclosed to an attacker who can later sell the information on darknet markets.

In Home Depot’s agreement with US states, the retail giant must implement better cybersecurity controls and bring their digital environment to compliance, namely PCI-DSS. In its effort to better protect data, Home Depot will assumingly implement better phishing controls to stop the rampant attacks against corporate environments.

Any organization that stores sensitive data must have the right cybersecurity controls in place, and anti-phishing isn’t an option, it’s a necessity. Training helps employees detect malicious email messages, but phishing relies on human error. Busy employees may overlook the red flags and telltale signs. It only takes a simple click of a button to allow malware to run and cause massive disruption to resources.

Anti-malware systems detect suspicious email messages and quarantine them without ever reaching the recipient’s inbox. Administrators can still review messages and send them to recipients if they find the content innocuous, but a deluge of phishing emails could indicate that the company is the target of a sophisticated phishing campaign. By stopping malware before it reaches the user’s inbox, much of the risk associated with phishing and malicious attachments can be stopped.

Training, cybersecurity access controls, and anti-phishing resources are key to protecting corporate data. Home Depot is a good example of why ignoring cybersecurity can cost an organization much more money in the aftermath than the cost to implement it before becoming a target.

Take control of your cybersecurity to prevent phishing scams and protect your customer data. PhishTitan blocks spam, viruses, phishing attempts, malware, ransomware, and other email threats. Learn more about PhishTitan and how it can provide advanced yet easy to use, email security for your business.