NEWS ANALYSIS: A compromise of a third-party vendor's access credentials that led to 53 million user email addresses being stolen was just the first step of the Home Depot attack. Other retailers would do well to learn from this attack.
Home Depot revealed new information on Nov. 6 about its data breach that it first officially confirmed
in September. Home Depot initially reported that the breach, which lasted from April to September of this year, impacted 56 million credit card holders. The scope of the breach has now been expanded to include 53 million user emails. Home Depot has not publicly disclosed how many of the breached emails overlap with the credit card account users.
For those 53 million accounts, the attackers only stole the email addresses, and Home Depot has stated that no additional payment card, passwords or personal information was stolen.
The new secondary disclosure that email information was stolen in addition to payment card information follows the same pattern that the Target breach took. Target initially disclosed in December 2013 that 40 million payment cards were stolen in its data breach. In January, Target increased that number and revealed
that the personal information of 70 million customers was taken.
Home Depot is providing some insight into how the attacker was able to get inside its network. A third-party vendor's username and password were somehow compromised, giving the attacker access to the network.
The attacker having third-party access, however, is not the end of the story. Home Depot revealed that the third-party credentials enabled the attacker to get into its network perimeter and from there had to exploit another vulnerability in order to do damage.
"These stolen credentials alone did not provide direct access to the company's point-of-sale devices," Home Depot stated in a press release. "The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom built malware on its self check out systems in the U.S. and Canada."
That's the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage.
We don't not know the specifics of the privilege escalation flaw used, though there are myriad techniques that hackers can use. Among the different techniques that an attacker can deploy on Windows systems, for example, to advance privileges is the NTLM (Windows NT LAN Manager) Pass-the Hash
attack, in which credential access can be elevated. There are other types of privilege escalation attacks that work on Linux and Unix systems as well. The bottom line though is that a proper change management system and access policy management system might have noticed the privilege escalation. Apparently in the Home Depot incident, the privilege escalation flaw was not detected when it initially occurred.
Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware
that has impacted 1,000 retailers.
What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn't just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that's one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake.
All of this breach activity comes with a cost that Home Depot will need to pay. At this point those costs are unknown.
"The company is not able to estimate the costs, or a range of costs, related to the breach," Home Depot stated.
As the holiday shopping season is almost here, other retailers would do well to learn quickly from the lessons of Home Depot and other breaches to protect themselves and their customers.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.