Home Depot Confirms Data Breach At U.S., Canadian Stores

Home Depot confirmed on Monday that its payment systems have been hacked in a data breach that could affect millions of shoppers who used credit and debit cards at its more than 2,000 U.S. and Canadian stores.

The breach could turn out to be one of the biggest in history. Home Depot did not say how many cards might be affected, but the largest U.S. home improvement chain did say its investigation into the breach goes as far back as April.

The news comes nearly a week after a website that focuses on cybersecurity reported on Tuesday a possible hack of Home Depot’s data. The company said later that day that it was investigating the potential breach.

“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” Chairman and CEO Frank Blake said in a press release.

Home Depot is the latest retailer to have a data breach. Others include Target, luxury retailer Neiman Marcus, grocer Supervalu, restaurant chain P.F. Chang’s and the thrift store operations of Goodwill.

In December, Target Corp. disclosed a massive data breach that was the second-largest in history, resulting in the theft of 40 million debit and credit card numbers and the potential exposure of personal information of up to 70 million shoppers.

Forrester Research analyst John Kindervag said the Home Depot breach could affect similar numbers of shoppers or cards, noting that months’ worth of data may have been compromised.

“From what I’m hearing, people think this will be as big as Target or bigger,” he said in a telephone interview with The Associated Press.

The retail breaches have rattled shoppers’ confidence at a time when privacy concerns are high. It’s also increased pressure on retailers to increase security so that customers can feel safe that their personal data is secure when they’re out shopping.

Retailers, banks and card companies have responded to the breaches by speeding the adoption of microchips in U.S. credit and debit cards. That technology helps makes transactions more secure.

Home Depot, which said malware was used in the hack, has announced that it plans to have chip-enabled checkout terminals at all of its U.S. stores by the end of this year.

In the meantime, the Atlanta company said its IT department also is looking into the breach and is working with outside firms, its banking partners, and the U.S. Secret Service. It added that customers will not be held responsible for fraudulent charges to their accounts.

The possible breach at Home Depot was first reported by Brian Krebs of Krebs on Security. Krebs said multiple banks reported “evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards.”

If Target’s breach is any indication, the fallout from the Home Depot breach could be severe.

The Target hack cost the company hurt the company’s profit and revenue. Target’s chief information officer and CEO both stepped down in the months after the hack.

“I would think if you’re a member of the board of directors, somebody has to be the sacrificial lamb for this,” Kindervag, the Forrester analyst, said about Home Depot’s breach.

Home Depot already has had some fallout. Its shares are down about 3 percent since Tuesday, and they fell 42 cents to $90.40 in Monday aftermarket trading.

Before the potential breach was announced, Home Depot said in August that Blake would step down as CEO on Nov. 1. He will be replaced by Craig Menear, president of the company’s U.S. retail operations.

[ From: http://www.npr.org/2014/09/09/347007380/home-depot-confirms-data-breach-at-u-s-canadian-stores ]

[SIZE=6]Home Depot says 53 million email addresses compromised during breach[/SIZE]
.
Home Depot says that in addition to 56 million payment cards, the attackers responsible for the breach on their POS network earlier this year also compromised 53 million email addresses.

Thursday’s breach investigation update also said the attackers leveraged a third-party vendor’s username and password in order to access the network.

Home Depot said the vendor’s credentials were not enough to access the POS network directly, so the attackers needed to elevate their access. Using a zero-day vulnerability in Windows, they did just that, and maintained their presence on Home Depot’s network for five months.

The retailer has stated previously that they believe the malware used in the attack was active on their POS network between April and September of 2014.

In a statement, Aviv Raff, the Co-Founder and CTO of Seculert, told CSO that there are way too many blind spots on a large network to prevent an attack. In Home Depot’s case, the fact that the attackers were able to live on the network for five months means “it’s more like a blind cavern than a blind spot.”

“This is mainly because Home Depot, like other retailers that got breached, were more focused on trying to prevent an attack than trying to detect an active compromise,” he added.

While a zero-day flaw in Windows ultimately allowed the foothold needed by the attackers to complete their mission, the issue of supply chain problems and third-party access once again comes to center stage, much like it did in the wake of the Target breach.

“The latest revelation about Home Depot’s email leaks once again brings to light the vulnerability of passwords. Everyone in IT knows strong authentication is the answer. So why aren’t we rolling it out? There is a general sentiment that implementing strong authentication is difficult, but it’s not anymore,” commented Incapsula’s CEO, Marc Gaffan.

Home Depot has stated that they plan to improve their overall security posture, but they are focusing on the public facing aspects first.

They’re recently turned to Voltage Security for help protecting card data, and the plans to implement EMV (Chip & Pin) are on track to be completed before the year’s end. As far as enforcing two-factor authentication, or other protective measures in the supply chain, the company hasn’t issued any statements on the matter.

Thursday’s update also included a reminder that customers who used a payment card at a Home Depot store in 2014, from April on, are eligible to receive identity protection services at no cost.

For those who had their email address compromised, Home Depot said they’d be notified directly, urging them to be on guard against Phishing scams.

“The biggest threat to users who have had their e-mail stolen is the threat of Phishing,” said Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, in a statement.

“Spear Phishing tactics utilizing the knowledge that the e-mail addresses belong to Home Depot customers is a likely outcome, resulting in millions of people potentially receiving fake e-mails claiming to be from Home Depot requesting either the opening of an infected / malicious file or requesting login credentials. Of course these e-mails might just be sold to a spam agency looking for more potential customers to push their advertisements and junk mail onto.”

[ http://www.csoonline.com/article/2844289/data-breach/home-depot-says-53-million-email-addresses-compromised-during-breach.html]