November 13, 2014 By Douglas Bonderud 3 min read

It just keeps happening. One retailer after another — Target, Dairy Queen, Kmart and now Home Depot — has been victimized by malware designed to steal credit card data and other sensitive consumer information. According to Dark Reading, Home Depot has discovered that 53 million email addresses were stolen along with credit data, putting consumers at risk for financial spear-phishing attacks.

While much has been made about flaws in well-known operating systems and the types of malware used, such as the popular Backoff point-of-sale strain, the issue of stolen vendor credentials has been largely ignored. Yet every major breach comes with a predictable beginning: Stolen credentials are used to open tiny doors into a retailer’s network, giving malicious actors the in they need to target high-level corporate systems and payment gateways. Is this retail’s real problem?

Common Thread: Stolen Vendor Credentials

According to The Wall Street Journal, Home Depot has confirmed that cybercriminals breached its systems in April with a stolen vendor password. Though the company has declined to name which vendor, it is carrying out an internal investigation.

“Data security just wasn’t high enough in our mission statement,” said former CEO Frank Blake.

Once inside the third-party network, cybercriminals jumped across to the company’s secure system by way of a Windows flaw, then targeted 7,500 self-serve terminals that were clearly marked as payment gateways. The relative ease of Home Depot’s breach has many companies running scared, looking for ways to beef up their security and detect malicious activity before it becomes front-page news. However, there is a problem: Even the most advanced security systems in the world are hard-pressed to defend against legitimate access. So long as credentials are being stolen, used and not reported until long after the fact, standard security measures won’t be effective.

Home Depot isn’t alone. PCWorld notes that Target’s infamous breach also began with stolen vendor credentials from a heating and ventilation contractor in Pennsylvania. Stolen credentials started the domino effect for the Kmart and Dairy Queen breaches, as well.

“A third-party vendor’s compromised account credentials were used to access systems,” John Gainer, CEO of Dairy Queen, said in a prepared statement.

The bottom line? All it takes is one account, one set of legitimate-looking credentials and a vendor that isn’t up-to-date with its data security or doesn’t notice the internal breach. Once cybercriminals have a foot in the door, getting them out becomes a challenge.

And Stay Out!

So what’s the solution? One option is for retailers to keep everything in-house, but in a world where cloud-based outsourcing is the new norm, this is an expensive and time-consuming prospect, even when it comes to security. SC Magazine offers a few suggestions, such as mapping sensitive data, evaluating risk on a per-vendor basis, building security assurances into vendor agreements to be clear about what’s expected and creating an incident response plan with responsibilities on both sides. Ultimately, however, it all comes back to the words of Blake: Data security can’t just be high on the mission statement, it needs to be first.

This means looking at data in a new way and treating information like a physical resource instead of a virtual one. Do retail companies need to know their vendors inside and out? Absolutely. Should they be more diligent about malware scans and patching OS vulnerabilities? Of course. But that’s just the beginning. Data security is no longer defined by who accesses information or where it goes, but rather why. Third-party vendor breaches will continue to happen. Their impact will be measured by retail companies’ ability to detect not just legitimate logins, but strange behaviors in real time and develop holistic systems that don’t allow payment systems to act as islands.

Stolen vendor credentials are the root cause of big retail breaches. To burn them out, data security must evolve.

Image Source: Flickr

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today