Sep 14

Banks: Credit Card Breach at Home Depot


Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating.

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”

There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.

A massive new batch of cards labeled "American Sanctions" and "European Sanctions" went on sale Tuesday, Sept. 2, 2014.

A massive new batch of cards labeled “American Sanctions” and “European Sanctions” went on sale Tuesday, Sept. 2, 2014.

In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.”

It is not clear at this time how many stores may have been impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.

This is likely to be a fast-moving story with several updates as more information becomes available. Stay tuned.

Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.

Tags: , , , , , , ,


  1. I love looking through a post that will make people think.

    Also, thank you for allowing for me to comment!

  2. I am so sick and tired of banking institutions playing victim. In our case we live in San Antonio and we have been contacted by our bank three times this year to come in and get new cards.
    The bank does not make it public, the bank does not even apologize they act like they are doing us a favor. Lone Star National Bank in Texas is so poor in customer service. But they do a good job at keeping the breach under wraps. Are they not supposed to make the information public? Personally I think the bank failed to protect us.

    • I agree. Changing cards is a hassle. It’s much better if the bank doesn’t change the card until it has been used to send a FedEx package from Texas to India for $3,800.

      The bank is required to notify its customers, which it sounds like it did, but no public notification is required.

      So quite your bellyaching already. The lack of security also means ease of use. A couple of years ago, a store was NOT ALLOWED to ask for identification beyond the card.

  3. Disclaimer: I work for a large bank. My opinions are my own, not theirs necessarily.

    Unless the bank lost the data, which is pretty rare, they are a “victim”. All we get from the card brands is a list of “hot cards”. We have to track down whose cards were swiped and scour the transactions. We are never told who the merchant is. We use reports like these and others to try and figure out where our exposure is and make changes to the fraud detection rules based on rumors. It really is a conspiracy of silence.

    The feds won’t release the information. The PCI Council won’t release any information after the fact such as who got fined and how much. The card brands won’t release any information. It’s all gleaned from news stories and subsequent court filings.

    We foot the entire bill for ordering and replacing the cards. Unless it’s a massive amount of money, probably six figures, the bank and its customers absorb the expense through higher fees and lower profits.

    If they are card-present transactions, we also absorb the loss. If they are card-not-present losses, we at least temporarily absorb the loss until we can get the transactions reversed.

    And it’s only going to get worse. Right now card-present transactions account for about 45% of card-related fraudulent transactions but the dollar value of the losses is higher than card-not-present fraud loss. When EMV goes into effect, card-not-present fraud skyrockets.

    In 2011 in the US card-not-present transaction losses accounted for about $2.1 billion. By 2018 it’s estimated to exceed $6 billion. That would follow the same trend as happened in Europe when they put EMV into effect.

    • And this is why you should be excited about Apple Pay. At first glance it seems to fix the security problems of chip and PIN for both card-present and card-not-present transactions. And it preserves the buyer’s identity even more; the retailer does not even get the buyer’s name in the transaction data.

  4. I shall pass along two pearls of wisdom I’ve learned over the years:

    “If you think technology can fix security, you do not understand technology and you do not understand security.”


    “Security problems are rarely caused by the technology and almost always by the implementation.”

    In the first, the premise is that the technology is usually what caused the security problem so it can’t fix itself (clear text transmission and storage or excessive rights being required, for example).

    In the latter, the premise is that the security problems are not caused by the technology but rather but how people took shortcuts (turned off encryption because it slows down transactions and backups, incorrect access controls, not changing default credentials, or simply the use of controls that were effective five years ago but are laughable today).

    In both, people created the technology and implemented it.

    It’s all a matter of numbers. There are some two billion people in the world with Internet access. You can have a crack team of thousands of people building what they think is a bulletproof technology and implementation.

    But once it’s implemented there will be hundreds of thousands of people around the world trying to circumvent it, around the clock. And if the crack team creates a product to sell, all bets are off on how the customer will implement it.

Leave a comment

Read previous post:
Fun With Funny Money

Readers or "fans" of this blog have sent some pretty crazy stuff to my front door over the past few...