Recent investigations into Home Depot’s massive security breach that occurred earlier this year unraveled evidence that the damage was worse than previously expected and that a Window’s vulnerability in the retailer’s main computer network allowed hackers access.
The company announced that roughly 56 million credit card accounts and 53 million email addresses were compromised.
Hackers took advantage of a security hole in Windows, which enabled them to spread malware and collect customer data, according to the Wall Street Journal.
“These [compromised] files did not contain passwords, payment card information or other sensitive personal information,” Home Depot said in a statement that detailed the findings of weeks of investigation by the retailer, in cooperation with law enforcement and the company’s third-party IT security experts.
“The company is notifying affected customers in the U.S. and Canada,” Home Depot explained. “Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.”
Hackers used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network, according to Home Depot. “The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada,” Home Depot explained.
According to the Wall Street Journal, “the hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network by exploiting a vulnerability in Microsoft Corp.’s Windows operating system, the people briefed on the investigation said.”
The Wall Street Journal report said that Microsoft issued a security patch after the breach began, but it came late. According to the sources familiar with the investigation, the hackers quickly moved across Home Depot’s systems, including its point-of-sale system.
Following the breach, an IT officer at Home Depot allegedly purchased two dozen MacBooks and iPhones for senior executives.
Both Microsoft and Apple declined to comment. “Microsoft has nothing to share regarding this particular inquiry,” a spokesperson for Microsoft said.
In addition to reportedly buying some Apple products, Home Depot has implemented cyber security enhancements, including enhanced encryption of payment data in all U.S. stores. “The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable and virtually useless to hackers,” Home Depot said in its statement.
The company is also rolling out EMV chip-and-PIN technology, which adds extra layers of credit card protection for customers.
A little over a week following Home Depot’s statement about its security breach findings, Microsoft issued security updates to fix critical vulnerabilities in its software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. There has been no word about whether this had any relation to Home Depot's report.