Home Depot: 56 Million Cards, One Vendor Password
You were already warned: the distance between an alert and a check
The most quoted fact about the Home Depot breach is the number — 56 million cards. The fact that should bother security teams more is the calendar.
In August 2013, Visa sent retailers a security alert describing malware that scrapes payment-card data out of a terminal’s memory. In January 2014, the FBI distributed its own warning about point-of-sale malware to the industry. The technique was named. The mechanism was described. Then, in April 2014, almost exactly that technique went live inside Home Depot’s self-checkout terminals and ran for five months.
This is the part that’s easy to misread as negligence and harder, and more useful, to read as structure. Nobody at Home Depot needed to invent a defense. The warnings existed. The PCI DSS requirements existed — firewalls, current antivirus, encryption in transit, monitoring. The FTC’s data-security guidance had existed since 2007. The gap was never knowledge. The gap was the distance between receiving a warning and confirming that the specific control it describes is actually in place, on the specific systems that matter, today.
That distance is where most breaches live, and it doesn’t show up on any dashboard. A warning arrives as a document. A control is a state of the world. The work that connects them — taking the alert, finding the exact systems it implicates, and verifying the control is on and current — is unglamorous, easy to defer, and almost never has an owner. Home Depot’s antivirus was a 2007 product still running in 2014. Somebody could have read the FBI alert and asked “is our endpoint protection current on the POS fleet?” The answer was available. The question was never connected to the warning.
So the practical takeaway isn’t “patch faster” or “buy the tool.” It’s to treat every external warning — every vendor advisory, every ISAC alert, every framework requirement — as a question that demands a confirmed answer about your own environment, with a name attached to confirming it. Not “we’re aware of this.” A verified, dated “this control is in place on these systems.”
One concrete starting point, and the question we left the episode on: what is the oldest piece of security software still running in your environment, and when did anyone last confirm it was current? If you can’t answer the second half quickly, that’s the distance.
The full technical breakdown of the breach — the network path, the memory-scraping mechanism, the response timeline, and the controls that were required but missing — is a free one-page PDF below.
