VPNs at the root of home depot data breach


It’s 10 a.m. do you know where your logins are?

In a not-surprising announcement yesterday, Home Depot reported: “Criminals used a third-party vendor’s username and password to enter the perimeter of Home Depot’s network." In addition to the previously published loss of 56 million credit cards, the thieves also helped themselves to 53 million email addresses. Phishing season opened early this year. The same attack vector used in the Home Depot data breach was used in the Target breach, where credentials granted to an HVAC company was compromised, resulting in the loss of 40 million credit cards. Why does this keep happening? Because of technical support’s dirty little secret. In the cases of the Target and Home Depot data breaches, the bad guys apparently stole VPN credentials, paired with an administrative credential on the server running the vendor’s software. With network access and an elevated credential, it was only a matter of time for the thieves to move laterally through the network to get to the payload. Over the last 11+ years, I’ve been in hundreds of software support centers. It was an accident, but I saw your logins. They’re written on sticky notes stuck to the side of monitors. They’re stored in clear text in Word documents circulated around the support center. They’re clearly visible in the vendor’s CRM system. Vendors aren’t bad people, they just play fast and loose with your credentials in order to meet the service level agreement (SLA) you asked them for. Earlier this year, I published five golden rules for managing third-party remote vendor access. Successful exploits attract more thieves probing for soft spots in your network. Exploiting third-party remote access has been successful at Jimmy John’s, Dairy Queen, Goodwill, Target, Home Depot and likely others. If you’ve got third-party vendors supporting your software environment, I would strongly urge you to ask the question: “where are my logins?”

Looking for a VPN alternative? Find out the best way to manage vendor access.