How Wal-Mart Was Hacked: Lying Engineer Infiltrates Company

How Wal-Mart was hacked is a cautionary tale about the vulnerability of information in the digital age.

The story of how Wal-Mart was hacked starts with a phone call to the manager of a store in a small military town. The call was allegedly from someone named “Gary Darnell” at Wal-Mart’s corporate headquarters in Bentonville, Arkansas.

Gary Darnell told the manager that he was giving a handful of Wal-Mart branch managers a chance to pilot a multi-million-dollar government contract, but first he needed a full picture of the store’s operations, CNN.com reported. Darnell spent 10 minutes giving details of himself, the government contract that would make the company “tons of cash,” and his plans for a visit.

In exchange, Darnell asked for information about the store including its janitorial contractor, cafeteria food-services provider, and even the shift schedule. By the end of the conversation, Darnell knew exactly when managers took breaks and where they went for lunch.

Then came the key detail of how Wal-Mart was hacked — Darnell asked the manager for details about the PC he used including the computer’s operating system and antivirus software. He then got the manager to click on an external website, but, when it was blocked Darnell, said he would call the IT department and fix the problem.

The manager thought nothing of it, CNN.com reported.

” ‘Sounds good,’ he answered. ‘I’ll try again in a few hours.’ “

Gary Darnell hung up the phone and stepped out of the soundproof booth where he had spent the last 20 minutes to applause. He had been performing for an audience of more than 100 people at the Defcon conference in Las Vegas who were listening to his every detail of how Wal-Mart was hacked. Darnell, who is really Shane MacDougall, was participating in a “capture the flag” contest to see who could capture every required data points, or flags, from a company.

For the competition, the social engineers are sent a dossier with the name and email of their target along with their list of targets, Social-Engineering.com reported. Participant are allowed to gather as much information as they can through public, open source information like company websites and even Facebook or Twitter.

Competitors then receive points based on how many flags they are able to get from their target.

“Social engineering is the biggest threat to the enterprise, without a doubt,” MacDougall told CNN.com after his call. “I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.”

How Wal-Mart was hacked might not be as important as why it was hacked, MacDougall explained. As the head of security firm Tactical Intelligence, he regularly conducts social-engineering tests for clients to check the vulnerability of their information.

The performances are poor across the board, he said, especially among sales employees.

“As soon as they think there’s money, common sense goes out the window.”

Bentonville executives see the story of how Wal-Mart was hacked as a stern warning to others, with Wal-Mart spokesman Dan Fogleman telling CNN.com: “We take the safeguarding of our business information very seriously and we’re disappointed some basic information was shared.”