With more due diligence, Home Depot's massive data breach may have been avoidable
It's hard to think that people hand over the keys to their homes to someone without digging through that person's history. People hired to clean the house or check on pets while the owner vacations are often trusted with access to someone's entire life after a meet-and-greet or perhaps just a referral from the owner's friend. This isn't a problem most of the time, but sometimes it comes back to bite the home owner right in their all-too-trusting ass.
Now imagine that the home owner is instead the corporate parent of a national company that processes millions of credit cards every day, and that the person it's trusting is being handed the keys to all of that information without so much as a single glance at the handler's background. That's exactly what happened with Home Depot, the home improvement retailer that suffered a data breach said to affect more than 52 million people this year, and its former head of security.
Ars Technica describes the conspicuous past of the company's security architect in a report:
When [Ricky Joe] Mitchell learned he was going to be fired in June of 2012 from the oil and gas company EnerVest Operating, he “remotely accessed EnerVest’s computer systems and reset the company’s network servers to factory settings, essentially eliminating access to all the company’s data and applications for its eastern United States operations,” a Department of Justice spokesperson wrote in a release on his conviction. “Before his access to EnerVest’s offices could be terminated, Mitchell entered the office after business hours, disconnected critical pieces of…network equipment, and disabled the equipment’s cooling system.” As a result of his actions, the company permanently lost some of its data and spent hundreds of thousands of dollars repairing equipment and recovering historical data. It took a month to bring the company’s office back online, costing the company as much as $1 million in lost business.One would think this is the kind of thing the Home Depot would ask EnerVest about when it looked into the person responsible for architecting its security network, but apparently that didn't come up. And, according to Ars, neither did Mitchell's history of playing with viruses:
Mitchell’s previous legal troubles resulting from malicious use of his technical skills dates back to when he was a high school junior. In 1996, at the age of 17, Mitchell—who then went by the handle “RickDogg” in online forums—planted viruses in his high school’s computer system. He was suspended for three days from Capital High School for planting 108 computer viruses “to disk space… assigned to another student on the Capital High School computer system,” according to a school district memo obtained by the Charleston Gazette.The Home Depot was't required to go digging through Mitchell's high school records to see what he was like as a teenager. Most of us tend to be jerks when we're at that age -- I say that as someone with two teenage brothers -- and that shouldn't necessarily be held against us. But something like this shows that Mitchell has a history of compromising the security of people and companies that he doesn't like; it's strange that the Home Depot didn't notice this before.
We don't know if Mitchell's role at the Home Depot and the data breach are related. Pissing off a soon-to-be-former employer and sabotaging one which quickly promoted you to the top of the food chain are two very different things, as are affecting someone's credit card information and costing a gas company around $1 million in "missed business." It could just be a coincidence.
But this, combined with the New York Times report claiming that ex-employees at the Home Depot were reminded that the company sells hammers when they raised concerns about its lack of security, shows a negligent culture just waiting to be attacked by one hacker or another. Given the increasing rate with which these breaches are occurring, that's just unacceptable.