Add Home Depot to the list of companies who have been victimized as a result of a third party contractor or supplier.
The home improvement giant said in a statement on Thursday that the criminals that attacked the company’s network first gained access to the “perimeter” of Home Depot’s network.
Target, the box store retailer, sketched out a similar scenario to describe the breach that resulted in the theft of 70 million credit cards numbers from its customers. In that case, a company that serviced HVAC systems in Target’s headquarters was reported as the source of the breach.
Home Depot said that attackers were able to move within its network by elevating their level of network access and install what Home Depot described as “unique, custom-built malware” on self-checkout systems in the U.S. and Canada.
The revelations about the circumstances of the breach came on a day when Home Depot also revealed the extent of data theft in the incident, which first came to light in September.
Home Depot said that, in addition to payment card information stolen from compromised point of sale systems, files containing approximately 53 million email addresses were taken during the breach.
Home Depot said customers should be on guard against phishing scams that use the stolen emails. The company claims that it has removed the malicious software that was installed and closed off the avenues that attackers used to compromise the network.
Reports that followed the breach painted a picture of Home Depot as a firm that badly managed its IT security resources. Entreaties from IT security staff to change company policies or expand security operations were, reportedly, rebuffed by upper management with the answer “we sell hammers” – as if Home Depot’s business operations were a simple affair.