The Home Depot team tasked with protecting customer credit card data from hackers was understaffed and overwhelmed for years before the biggest security breach in retail history hit the company, several former employees told The Huffington Post.
Over three months in the spring of 2013, four of the eight people responsible for ensuring that credit card data was encrypted as it traveled through Home Depot’s computer network left the company, continuing a pattern of high turnover and turmoil that former employees said had persisted since late 2011. The four left in part because they were frustrated that management did not address their security concerns, according to one former worker who requested anonymity because he did not want to publicly criticize a former employer.
The former security employee told HuffPost that he had raised "red flags" with Home Depot management about the lack of encryption. He said he thought that flaw violated payment card industry security standards. But he said management didn't address his concerns, and he quit last year.
"It was painfully easy to capture that data," the former employee said.
The staff turnover had been going for years. In fall 2011, Home Depot’s overall security team had about 60 employees with a variety of responsibilities, from finding security flaws in the network to ensuring that the company was meeting industry security standards. But shortly after Jeff Mitchell took over as information security chief in August of that year, about 30 of those workers left in a period of three months, according to another former Home Depot security employee. Their loss made the job of protecting the network that much harder for those who remained.
"You're having a hard enough time finding security holes," one former Home Depot security engineer told HuffPost. "Then half the people in your department leave and your workload doubles. It makes it even harder to catch stuff."
Two former security employees described Mitchell as "bullying" and "abrasive" and said he was partly to blame for the loss of talented personnel.
Last week Home Depot revealed that hackers had stolen data on 56 million customer debit and credit cards in what amounted to the largest retail breach on record. The hackers used malware to raid the home improvement chain's computer system for more than five months starting in April. Law enforcement authorities and security firms continue to investigate the theft, the latest in a string of such attacks against major retailers over the past year.
Banks nationwide have started to see fraudulent transactions related to the Home Depot breach that are draining customer bank accounts, according to The Wall Street Journal.
Home Depot said it has removed the malware and tightened security by encrypting payment card data at its U.S. stores. The retailer has also introduced machines that read a new type of credit card that uses an embedded microchip and a code to authorize transactions, making it more difficult for thieves to produce counterfeit credit cards. Such enhanced cards have not been widely introduced in the United States yet.
"Our guiding principle is to do what’s right by our customers," Home Depot spokesman Stephen Holmes said in an email, adding that the company maintains "robust security systems."
The company did not respond to a question about current staffing levels on its security team. It also declined to comment on Mitchell's management style and did not make him available for an interview. Mitchell did not respond to a message seeking comment.
Former Home Depot employees have made similar claims about the security team to Bloomberg Businessweek and The New York Times, painting the picture of a hardware chain struggling to fight off threats in the digital world.
It remains unclear how the hackers found their way into Home Depot’s network or whether the security team could have stopped them, regardless of staff levels, since the thieves reportedly used custom-made malware that had never been seen before.