Former information security managers at Home Depot told Bloomberg Businessweek that outdated security software might have given hackers freer rein to breach the retailer’s payment data systems.
Although the Home Depot has said little about what contributed to the recent cyber-attack, various unnamed sources told Bloomberg Businessweek that management preference for “C-level security,” which they claim wasn’t set up to encrypt customers’ payment data, didn’t help matters. This was the case even though two months ago, Symantec, the security solutions provider, performed a “health check” on the company’s information systems and identified anti-virus software that was clearly out-of-date.
Though Home Depot has said there is no evidence that any customer credit or debit card data has been compromised, the company disclosed the hacking might have started “as early as April.” Currently, Home Depot has 2,155 stores in the United States and Canada.
A big reason for Home Depot’s reluctance to upgrade its software was its high costs, alleged some of the sources who asked not to be identified because they fear reprisals as they work with companies that do business with the retailer.
The same sources told Bloomberg that they were well aware of the company’s archaic security systems and had reached out to higher-ups, including information security chief Jeff Mitchell, only to be continually rebuffed.
The same sources told the publication that this year “Home Depot purchased a tool from Voltage Security to encrypt [payment] card data, but the system hasn’t yet been implemented.”
Further, the former staffers also said that Home Depot was relying on Symantec’s Endpoint Protection 11, which was released in 2007, for its point-of-sales systems, even though they had urged the retailer to upgrade to a newer version that was unveiled in 2011.
Bloomberg writes that Symantec has begun to phase out customer support for the older version and that “all such support will cease on January 5, 2015.”