Breaking: Home Depot Data Hackers Gained Access With Stolen Vendor Credentials

This evening The Wall Street Journal Technology blog is reporting (paid subscription or free metered view) that the hackers behind the recent massive data and credit card breach at home improvement retailer Home Depot gained access from username and password information stolen from a services vendor. The WSJ cited informed sources as indicating that after two months of investigations, Home Depot was the victim to the same infiltration tactics hackers used in the Target stores data breach that occurred a year ago, namely hijacking the credentials of a contracted services supplier. Once inside Home Depot’s internal systems the hackers reportedly were able to jump the barriers between the peripheral vendor system and the retailer’s more secure retail network by exploiting security vulnerabilities.

It is now believed that 53 million email addresses were exposed in addition to the previously reported compromise of 56 million credit card accounts. The revelation comes after Home Depot recently declared to its customers that its retail systems were now safe.

The timing of this added information concerning Home Depot also comes at an in-opportune time, with the holiday fulfillment season right around the corner.

In our prior Supply Chain Matters commentary related to the Target incident, we noted important ramifications for B2C and B2B customer fulfillment or Omni-channel processes that involve third-party services or supplier vendors.  With this latest revelation that the Home Depot breach indeed succumbed to similar vulnerabilities, retail industry IT and supply chain teams will be under increased scrutiny as to system and information  security practices and vendor access credentials.

Business media continues to note that Target is still trying to bounce back from a loss of consumer confidence, recently announcing the closure of an additional 11 retail stores by February 2015. Today, Target announced the appointment of a Senior Vice President and Chief Risk Compliance Officer reporting directly to Target’s CEO and Chairmen. Jacqueline Hourigan will lead continued efforts to overhaul information security and compliance that umbrellas centralized leadership of enterprise risk management, including vendor management. That model may well be replicated by other large retailers.

Consumers must be assured that information security remains a top priority and strict standards are being adhered. That unfortunately will lead to further scrutiny of supply chain wide information security practices.

Bob Ferrari