Why Microsoft isn’t to blame for Home Depot’s breach: an appeal for strong authentication

Last updated: 14 November 2019

Just a few days ago, America’s favorite home improvement store – The Home Depot – revealed a substantial data breach. Hackers had stolen 56 million credit card account details and around 53 million customer email addresses last year after gaining access via a contractor’s electronic billing account.

Upon discovery last April, and before an official investigation could take place, the retailer’s knee-jerk reaction was to blame its Windows operating system for the breach and transferred its executives over to Apple iOS with replacement MacBook laptops and iPhones. Or “bat phones” as they called them.

This was no doubt an expensive and complicated exercise. However, the investigation subsequently revealed the breach could be traced to “patient zero”, a server at a store south of Miami. It seems hackers used a user’s username and password to enter the retailer’s network before conducting an active directory privilege escalation attack to deploy malware. Granted, in a Mac environment the malware wouldn’t have worked, but a user who gained access to your environment by cracking the username and password could still have wreaked havoc.

As I explained last month, modern executives need to be trained to pick a prolific and highly-personal password, treat their devices and documents with the caution they deserve and be educated on the importance of security.

Home Depot would have been better to invest in access control, ID protection and email data encryption. Even a state of the art “bat phone” can’t save you if one of your employee’s passwords is ‘password’!