Last week Home Depot admitted that cyber criminals stole an estimated 56 million debit and credit card numbers from Home Depot customers between April and September 2014. That’s roughly 16 million more than the Target breach and the largest retail card breach on record. If the information from former Home Depot security employees is in fact true, then it’s a wonder that the stolen card total wasn't dramatically higher. What went wrong and what can other organizations learn from Home Depot's missteps?

According to former employees here are the 4 big mistakes that left Home Depot vulnerable.

1. Relied on outdated software to protect its network. Home Depot used 2007 Symantec antivirus software and didn’t continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.
2. Scanned systems with customer data inconsistently and incompletely. Home Depot performed vulnerability scans on computer systems inside its stores irregularly. More than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.
3. Performed inadequate background checks of key security personnel. In 2012, Home Depot hired and promoted a security engineer to oversee their security systems. In April of this year, that employee was sentenced to four years in prison for performing a factory reset on his former employers' servers.
4. Ignored employee pleas for new security software and training. Several former Home Depot employees told the New York Times that when they sought new software and training over the years, managers came back with the same response:

We sell hammers.

These breaches are being executed by sophisticated international cyber criminals. If executives are not setting the right tone and providing their security teams with proper resources, then these breaches are going to get even worse before they get better.