Appalling is right.. Running WindowsXP with so much advanced warning that it was a bad idea? Incredible. http://www.dailytech.com/Appalling ...Holes Led to Home Depot Hack/article36517.htm
According to the article, Windows Xpe is supported until 2016. Granted, it would probably be safer for retailers to upgrade to a Windows 7 based system, but If MS is supposed to be supporting XPe they have to take a lot of the responsibility. If the vulnerability has been known for a decade, what does that say for MS's so-called security patches?
This applies to every MS OS, not just XP. And these days even more-so to the OS's of mobile devices it seems. It's like they don't even care about those customers. Also, without reading that article (admittedly), I'd be willing to bet that said vulnerabilities could have been thwarted with some host hardening and good old fashioned end user know how, along with perhaps the right 3'rd party support, without even needing patches. Most of the time it's as simple as not using Java, IE, or allowing 3'rd party scripts. That and disabling known/highly vulnerable services like Remote Registry can prevent most would-be vulnerabilities dead in their tracks without having to resort to waiting around on MS to patch their own F up's (if they ever do). The MOST "appalling negligence" I witness personally is on the side of the end user, and not the OS/software manufacturers. That's not to dismiss the responsibility on their end, I'm just saying they are often blamed for people's own stupidity/lack of knowledge/laziness. If they could be bothered to spend a fraction of the time learning their way around a computer that they spend surfing porn or downloading apps onto their I-devices, they wouldn't have these problems. But everybody loves to pass the buck in this country, not only due to their inflated egos/stubbornness, and unwillingness to admit fault, but also so that they can sue somebody and get a free lunch out of it.
Using a (still) supported OS doesn't seem like negligence to me... However, as luciddream said, there are probably other security mistakes they made that allowed the hackers access to their network.
The problem here is malware use RAM scraping technique. Windows XP and its variants has weak memory protection (no ASLR for instance) therefore it is easy for compromised code to access the memory used by the POS software. Although Windows XPe may be supported until 2016, Microsoft has limited capabilities to fix the underlying problem. After all, it is an XP design issue. No amount of updates MS issue can adequately attempt to "fix" such a problem. This is the reason why not just MS but the security community that understand the issue recommends upgrading the OS as the successors are better equipped with technologies to thwart such attacks (imperfect but still better than none). The thing is the ones running the show at companies like Home Depot and Target are not security professionals. It is not within their field of knowledge to understand the impact. They are good at what they do - that is to optimize business profit. If the visible costs seem lower when the company chooses not to upgrade (at least while it's still "supported"), it is only natural that seems to be the sensible decision to make. It's 2 opposite forces working against each other. The end result is a compromise where the customers are the ones that get hurt. There's no easy way out of the situation unless the CIO decides to fork out the cash or MS decides to provide free upgrade. Even if that were to happen, there are things like compatibility issues that need to be considered.
This. This is so absolutely true. From what I've seen, management typically wants to "maximize value" at all times. It is a continuous struggle for higher ranking IT staff to convince management that some things should be done because they are useful in the long run, provide intangible benefits, or are just morally obligatory. (And it's very rare for people to even mention the latter. Last time I mentioned ethics in an office setting, it drew gasps.) tl;dr the security situation can be summed up in one word: Dilbert.