It just keeps happening. One retailer after another — Target, Dairy Queen, Kmart and now Home Depot — has been victimized by malware designed to steal credit card data and other sensitive consumer information. According to Dark Reading, Home Depot has discovered that 53 million email addresses were stolen along with credit data, putting consumers at risk for financial spear-phishing attacks.

While much has been made about flaws in well-known operating systems and the types of malware used, such as the popular Backoff point-of-sale strain, the issue of stolen vendor credentials has been largely ignored. Yet every major breach comes with a predictable beginning: Stolen credentials are used to open tiny doors into a retailer’s network, giving malicious actors the in they need to target high-level corporate systems and payment gateways. Is this retail’s real problem?

Common Thread: Stolen Vendor Credentials

According to The Wall Street Journal, Home Depot has confirmed that cybercriminals breached its systems in April with a stolen vendor password. Though the company has declined to name which vendor, it is carrying out an internal investigation.

“Data security just wasn’t high enough in our mission statement,” said former CEO Frank Blake.

Once inside the third-party network, cybercriminals jumped across to the company’s secure system by way of a Windows flaw, then targeted 7,500 self-serve terminals that were clearly marked as payment gateways. The relative ease of Home Depot’s breach has many companies running scared, looking for ways to beef up their security and detect malicious activity before it becomes front-page news. However, there is a problem: Even the most advanced security systems in the world are hard-pressed to defend against legitimate access. So long as credentials are being stolen, used and not reported until long after the fact, standard security measures won’t be effective.

Home Depot isn’t alone. PCWorld notes that Target’s infamous breach also began with stolen vendor credentials from a heating and ventilation contractor in Pennsylvania. Stolen credentials started the domino effect for the Kmart and Dairy Queen breaches, as well.

“A third-party vendor’s compromised account credentials were used to access systems,” John Gainer, CEO of Dairy Queen, said in a prepared statement.

The bottom line? All it takes is one account, one set of legitimate-looking credentials and a vendor that isn’t up-to-date with its data security or doesn’t notice the internal breach. Once cybercriminals have a foot in the door, getting them out becomes a challenge.

And Stay Out!

So what’s the solution? One option is for retailers to keep everything in-house, but in a world where cloud-based outsourcing is the new norm, this is an expensive and time-consuming prospect, even when it comes to security. SC Magazine offers a few suggestions, such as mapping sensitive data, evaluating risk on a per-vendor basis, building security assurances into vendor agreements to be clear about what’s expected and creating an incident response plan with responsibilities on both sides. Ultimately, however, it all comes back to the words of Blake: Data security can’t just be high on the mission statement, it needs to be first.

This means looking at data in a new way and treating information like a physical resource instead of a virtual one. Do retail companies need to know their vendors inside and out? Absolutely. Should they be more diligent about malware scans and patching OS vulnerabilities? Of course. But that’s just the beginning. Data security is no longer defined by who accesses information or where it goes, but rather why. Third-party vendor breaches will continue to happen. Their impact will be measured by retail companies’ ability to detect not just legitimate logins, but strange behaviors in real time and develop holistic systems that don’t allow payment systems to act as islands.

Stolen vendor credentials are the root cause of big retail breaches. To burn them out, data security must evolve.

Image Source: Flickr

More from

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates.Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?[button link=""…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read