Home Depot Hacked with Old WinXP Flaw


The estimated 56 million Home Depot accounts exposed to potentially 3 billion in loses – was driven by an old WinXP flaw.–PC Pitstop

Home Depot Hacked with Old WinXP Flaw

By Stu Sjouwerman, for KnowBe4.com Security Awareness Training

The massive security breaches and theft of credit card information at The Home Depot and Target have something in common. They were both allowed by a vulnerability in XP embedded that was more than 10 years old!

The XP embedded, used in their POS systems, (yes, both definitions apply) was Win XPe SP3, which is not the last version of the XP-based embedded OSes. This whole disaster could have been avoided if Target and Home Depot upgraded to Win7 for Embedded Systems. Internal IT security people knew about this and told their friends and relatives to pay cash at Home Depot. OUCH.

Specific malware created for embedded XP systems reared up its ugly head in the middle of the last decade. They use a technique called “RAM scraping”, as WinXP has relatively weak memory access protection. Win 7’s memory protection is much better.

Article continued here

(Visited 63 times, 1 visits today)

9 thoughts on “Home Depot Hacked with Old WinXP Flaw

  1. @Charles Stensrud
    Powerless my butt. Go public tell consumers
    oooHH wait you wanted your pay check instead of security for consumers. Fact is you only care about your money. I vote class action and include any share holders that vote not to upgrade to protect consumers.

  2. I was one that was hit not once but twice on my Visa. 1st time it was for 2 separate transactions for $10. worth of gas in Florida then boom, a online purchase for $650. in Quebec, Canada. Visa cancelled card and 1 month later another hit of $700. online purchase in France. I used both Visa cards at Home Depot.

  3. For those who think that the IT folks are culpable, just realize that the necessary upgrades would cost (shareholders) money and would require budgetary approval. I have worked for people whom have been warned about the consequences of their actions (or lack of) and have been powerless over the end result. In the same position, unable to act, I would have done the same thing!

    Those who think otherwise are either totally ignorant, or just plain wrong!

  4. I shop at Home Depot and Target. After the Target breach, I received a notice from my bank and had to replace my card. The same thing just happened with Home Depot. I just got the notice from the bank along with a new card. If my bank was using the chip card, this would not happen!

  5. Considering that the I.T. people knew and the company let it slide then they are culpable, in my mind.

    Normally I would say that security begins and ends with each card holder, but this incident is just sloppy, lazy and short term profit driven.

  6. I work for the company, and they do need to upgrade all of their computer systems, or more things will happen. Maybe their new CEO will get the hint!

  7. What I don't understand is that according to the article, internal security IT people knew and warned their friends and family yet allowed everyone else to be hit for their personal and financial information. How sorry is this and if this can be proven can they be held responsible for anyone who's identity gets hit? It would serve Home Depot right if they get a class action suit for this after the Target ordeal. They knew their system was as vulnerable as Targets'.

  8. Slack approach to security again – will profit driven organisations ever learn.
    I guess until legislation makes possible prosecution for such carelessness there is unlikely to be any change.

    • @peterlonz: You don’t make laws to prosecute kids or their parents for leaving toys out in the yard that someone can steal. Too many laws! The sharholders/company(who need to take care of the cardholders if they had any damage-yet hear exactly what) need to go after the person the IT people told that made a cost analysis not to upgrade.

Leave a Reply

Your email address will not be published. Required fields are marked *