Report: Home Depot Ignored Warnings About Credit Card Hacking Since 2008

We may earn a commission from links on this page.

Home Depot is reeling after it confirmed this week that 56 million credit card users' data was stolen from its payment database. Now, The New York Times says the home improvement store ignored security warnings from its own computer experts for the past six years. Yeesh.

The Times spoke with former Home Depot cybersecurity employees on condition of anonymity, who reported that multiple serious warnings about the company's lack of computer security went unheeded for years.

Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: "We sell hammers."


A mix of outdated security software, infrequent and incomplete network scans, and a lack of concern from the company's leaders led to the massive leak, the former employees said.

Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company's stores.


After the Target credit card hack leaked 40 million credit and debit card users' info, Home Depot assembled a team to beef up the company's cybersecurity. In April, Home Depot began utilizing data-scrambling encryption at its point-of-sale equipment. But as the Times explains, that rollout was already behind:

But criminals were already deep in Home Depot's systems. By the time the company learned on Sept. 2 from banks and law enforcement that it had been breached, hackers had been stealing millions of customers' card information, unnoticed for months. The rollout of the company's new encryption was not completed until last week.


Perhaps most shockingly, the man in charge of Home Depot's in-store security, Ricky Joe Mitchell, isn't even at his post right now: He was sentenced to four years in federal prison this April, after disabling the computer system of the last company that fired him. [The New York Times via The Verge]

Image: Flickr / Mike Mozart