November 13, 2014 By Douglas Bonderud 3 min read

It just keeps happening. One retailer after another — Target, Dairy Queen, Kmart and now Home Depot — has been victimized by malware designed to steal credit card data and other sensitive consumer information. According to Dark Reading, Home Depot has discovered that 53 million email addresses were stolen along with credit data, putting consumers at risk for financial spear-phishing attacks.

While much has been made about flaws in well-known operating systems and the types of malware used, such as the popular Backoff point-of-sale strain, the issue of stolen vendor credentials has been largely ignored. Yet every major breach comes with a predictable beginning: Stolen credentials are used to open tiny doors into a retailer’s network, giving malicious actors the in they need to target high-level corporate systems and payment gateways. Is this retail’s real problem?

Common Thread: Stolen Vendor Credentials

According to The Wall Street Journal, Home Depot has confirmed that cybercriminals breached its systems in April with a stolen vendor password. Though the company has declined to name which vendor, it is carrying out an internal investigation.

“Data security just wasn’t high enough in our mission statement,” said former CEO Frank Blake.

Once inside the third-party network, cybercriminals jumped across to the company’s secure system by way of a Windows flaw, then targeted 7,500 self-serve terminals that were clearly marked as payment gateways. The relative ease of Home Depot’s breach has many companies running scared, looking for ways to beef up their security and detect malicious activity before it becomes front-page news. However, there is a problem: Even the most advanced security systems in the world are hard-pressed to defend against legitimate access. So long as credentials are being stolen, used and not reported until long after the fact, standard security measures won’t be effective.

Home Depot isn’t alone. PCWorld notes that Target’s infamous breach also began with stolen vendor credentials from a heating and ventilation contractor in Pennsylvania. Stolen credentials started the domino effect for the Kmart and Dairy Queen breaches, as well.

“A third-party vendor’s compromised account credentials were used to access systems,” John Gainer, CEO of Dairy Queen, said in a prepared statement.

The bottom line? All it takes is one account, one set of legitimate-looking credentials and a vendor that isn’t up-to-date with its data security or doesn’t notice the internal breach. Once cybercriminals have a foot in the door, getting them out becomes a challenge.

And Stay Out!

So what’s the solution? One option is for retailers to keep everything in-house, but in a world where cloud-based outsourcing is the new norm, this is an expensive and time-consuming prospect, even when it comes to security. SC Magazine offers a few suggestions, such as mapping sensitive data, evaluating risk on a per-vendor basis, building security assurances into vendor agreements to be clear about what’s expected and creating an incident response plan with responsibilities on both sides. Ultimately, however, it all comes back to the words of Blake: Data security can’t just be high on the mission statement, it needs to be first.

This means looking at data in a new way and treating information like a physical resource instead of a virtual one. Do retail companies need to know their vendors inside and out? Absolutely. Should they be more diligent about malware scans and patching OS vulnerabilities? Of course. But that’s just the beginning. Data security is no longer defined by who accesses information or where it goes, but rather why. Third-party vendor breaches will continue to happen. Their impact will be measured by retail companies’ ability to detect not just legitimate logins, but strange behaviors in real time and develop holistic systems that don’t allow payment systems to act as islands.

Stolen vendor credentials are the root cause of big retail breaches. To burn them out, data security must evolve.

Image Source: Flickr

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today