Home Depot’s Former Lead Security Engineer Had a Legacy of Sabotage

You never know who’s watching those transactions.

Photo by David McNew/Getty Images

Information continues to trickle in on the Home Depot data breach, and it’s an ugly one. Last week, the company confirmed that its security lapse—the biggest ever for a retailer—had compromised the credit cards of 56 million customers from April to September. The data now being sold on black markets could contribute to an estimated $3 billion in illegal purchases.

Security experts, the New York Times reported, are “flabbergasted” that Home Depot could fall victim to such an enormous breach, less than a year after Target exposed the data of 40 million consumers’ cards last holiday season. But former employees of the home-improvement chain told the Times they were less surprised, and that security at Home Depot had long been “a record of missteps”:

In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.

Buried at the bottom of the Times story was another concerning detail: Ricky Joe Mitchell, the former lead security engineer at Home Depot’s stores, was convicted this spring of sabotaging the security network of his previous employer.* He is now serving a four-year sentence in federal prison. Ars Technica dug up more details on Mitchell’s less-than-stellar record:

When Mitchell learned he was going to be fired in June of 2012 from the oil and gas company EnerVest Operating, he “remotely accessed EnerVest’s computer systems and reset the company’s network servers to factory settings, essentially eliminating access to all the company’s data and applications for its eastern United States operations,” a Department of Justice spokesperson wrote in a release on his conviction. “Before his access to EnerVest’s offices could be terminated, Mitchell entered the office after business hours, disconnected critical pieces of … network equipment, and disabled the equipment’s cooling system.”

According to Ars Technica, Mitchell also got into legal trouble over malicious technical activity in high school, when he was expelled for planting viruses in the school’s computer system. He reportedly described himself on his website as someone who loved “to write and distribute Viruses.” Of course people can change a lot between high school and adulthood. But between that early history and his actions at EnerVest Operating, Mitchell’s employment at Home Depot isn’t giving too many added votes of confidence to the company’s security team.

*Correction, Sept. 23, 2014: This post previously misstated Ricky Joe Mitchell’s title. He was not the head of Home Depot’s IT security; he was lead security engineer.