Its a truism in cyber security that behind every great hack often lies a string of bad decisions and missed opportunities. Its also true that when you dig into the details of damaging cyber incidents, the root causes are personal and psychological as often as they are technical in nature. Organizations -even sophisticated and wealthy organizations – end up making bad decisions for all the wrong reason: failing to properly assess their risk, or pursuing short term savings when long term investment is needed.
Home Depot learned via law enforcement that a breach of transaction data exposed as many as 52 million credit card transactions, the largest retail credit card breach to date. But as more comes out about the breach at home improvement giant Home Depot, it starts to look a lot more like the root causes there may have started in the HR department rather than the data center.
The drum beat started over the weekend, with Nicole Perlroth’s story in The New York Times that quoted former employees saying that Home Depot gave short shrift to security: relying on outdated antivirus software by Symantec and infrequently running vulnerability and malicious software scans on systems that handled critical customer transactions.
The image that emerges is of a company that badly managed its human resources- at least in the area of IT security.Entreaties from IT security staff to change company policies or expand security operations were, reportedly, rebuffed by upper management with the answer “we sell hammers” – as if Home Depot’s business operations were a simple affair. And then there’s the July, 2012 hire of Ricky Joe Mitchell as an information security architect. As Perlroth notes, Mitchell came to Home Depot from EnerVest, an oil and gas company, and moved up quickly through the ranks. In March 2013, was promoted to the position of Senior Architect for IT Security, in charge of the entire company’s security architecture.
But, as Perlroth revealed: Mitchell had a spotty work history. He had been fired from EnerVest. Not just that: Mitchell had wreaked havoc on EnerVest’s data center prior to leaving when he learned of EnerVest’s plans to let him go – an act of sabotage that cost the company up to $1 million to repair. He was sentenced to four years in prison in April of this year for that crime.
And, as Sean Gallagher points out over at Ars Technica, that wasn’t Mitchell’s first brush with the law. In 1996, a 17 year-old Mitchell, using the handle “RickDogg” in online forums, planted viruses in his high school’s computer system. He was suspended for three days from Capital High School for planting 108 computer viruses. Mitchell was later expelled from the school after he posted threats to students whom he blamed for reporting him to school officials. The case went to the West Virginia Supreme Court after Mitchell and his family sued to have their son reinstated at the school.