November 13, 2014 By Douglas Bonderud 3 min read

It just keeps happening. One retailer after another — Target, Dairy Queen, Kmart and now Home Depot — has been victimized by malware designed to steal credit card data and other sensitive consumer information. According to Dark Reading, Home Depot has discovered that 53 million email addresses were stolen along with credit data, putting consumers at risk for financial spear-phishing attacks.

While much has been made about flaws in well-known operating systems and the types of malware used, such as the popular Backoff point-of-sale strain, the issue of stolen vendor credentials has been largely ignored. Yet every major breach comes with a predictable beginning: Stolen credentials are used to open tiny doors into a retailer’s network, giving malicious actors the in they need to target high-level corporate systems and payment gateways. Is this retail’s real problem?

Common Thread: Stolen Vendor Credentials

According to The Wall Street Journal, Home Depot has confirmed that cybercriminals breached its systems in April with a stolen vendor password. Though the company has declined to name which vendor, it is carrying out an internal investigation.

“Data security just wasn’t high enough in our mission statement,” said former CEO Frank Blake.

Once inside the third-party network, cybercriminals jumped across to the company’s secure system by way of a Windows flaw, then targeted 7,500 self-serve terminals that were clearly marked as payment gateways. The relative ease of Home Depot’s breach has many companies running scared, looking for ways to beef up their security and detect malicious activity before it becomes front-page news. However, there is a problem: Even the most advanced security systems in the world are hard-pressed to defend against legitimate access. So long as credentials are being stolen, used and not reported until long after the fact, standard security measures won’t be effective.

Home Depot isn’t alone. PCWorld notes that Target’s infamous breach also began with stolen vendor credentials from a heating and ventilation contractor in Pennsylvania. Stolen credentials started the domino effect for the Kmart and Dairy Queen breaches, as well.

“A third-party vendor’s compromised account credentials were used to access systems,” John Gainer, CEO of Dairy Queen, said in a prepared statement.

The bottom line? All it takes is one account, one set of legitimate-looking credentials and a vendor that isn’t up-to-date with its data security or doesn’t notice the internal breach. Once cybercriminals have a foot in the door, getting them out becomes a challenge.

And Stay Out!

So what’s the solution? One option is for retailers to keep everything in-house, but in a world where cloud-based outsourcing is the new norm, this is an expensive and time-consuming prospect, even when it comes to security. SC Magazine offers a few suggestions, such as mapping sensitive data, evaluating risk on a per-vendor basis, building security assurances into vendor agreements to be clear about what’s expected and creating an incident response plan with responsibilities on both sides. Ultimately, however, it all comes back to the words of Blake: Data security can’t just be high on the mission statement, it needs to be first.

This means looking at data in a new way and treating information like a physical resource instead of a virtual one. Do retail companies need to know their vendors inside and out? Absolutely. Should they be more diligent about malware scans and patching OS vulnerabilities? Of course. But that’s just the beginning. Data security is no longer defined by who accesses information or where it goes, but rather why. Third-party vendor breaches will continue to happen. Their impact will be measured by retail companies’ ability to detect not just legitimate logins, but strange behaviors in real time and develop holistic systems that don’t allow payment systems to act as islands.

Stolen vendor credentials are the root cause of big retail breaches. To burn them out, data security must evolve.

Image Source: Flickr

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today