Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating in Charleston, West Virginia—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.

Further Reading Home Depot confirms breach but stays mum as to size

The Home Depot breach, which reportedly began in April of 2014 and went undetected until earlier this month, exposed an estimated 56 million credit card numbers. Home Depot spokesperson Stephen Holmes told The New York Times that the company maintains “robust security systems.” Home Depot officials have said that the malware used in the attack, BlackPOS, had not been seen before and would have been difficult to detect with its security scans.

However, former employees contend that the company relied on out of date antivirus software—a version of Symantec’s antivirus purchased in 2007. And the company didn’t perform network behavior monitoring, so they would not have detected unusual network traffic coming from point-of-sale systems.

The Payment Card Industry (PCI) Security Standards Council requires security scans at least once a quarter, and third-party security audits. But according to the Times’ sources, vulnerability scans were conducted irregularly, and usually only on a small number of stores. Two former Home Depot IT employees said that the security team was kept from checking a number of systems handling customer data.