September 2, 2014

Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating.

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”

There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store — rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.

A massive new batch of cards labeled "American Sanctions" and "European Sanctions" went on sale Tuesday, Sept. 2, 2014.

A massive new batch of cards labeled “American Sanctions” and “European Sanctions” went on sale Tuesday, Sept. 2, 2014.

In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.”

It is not clear at this time how many stores may have been impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.

This is likely to be a fast-moving story with several updates as more information becomes available. Stay tuned.

Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.

Follow-up reporting:

Data: Nearly All U.S. Home Depot Stores Hit

Home Depot: 56M Cards Impacted, Malware Contained

In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes

Home Depot Hit by Same Malware as Target

In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud

Home Depot: Hackers Stole 53M Email Addresses


305 thoughts on “Banks: Credit Card Breach at Home Depot

  1. Tired

    I am so sick and tired of banking institutions playing victim. In our case we live in San Antonio and we have been contacted by our bank three times this year to come in and get new cards.
    The bank does not make it public, the bank does not even apologize they act like they are doing us a favor. Lone Star National Bank in Texas is so poor in customer service. But they do a good job at keeping the breach under wraps. Are they not supposed to make the information public? Personally I think the bank failed to protect us.

    1. Bruce Hobbs

      I agree. Changing cards is a hassle. It’s much better if the bank doesn’t change the card until it has been used to send a FedEx package from Texas to India for $3,800.

      The bank is required to notify its customers, which it sounds like it did, but no public notification is required.

      So quite your bellyaching already. The lack of security also means ease of use. A couple of years ago, a store was NOT ALLOWED to ask for identification beyond the card.

    2. Linda

      Oh, boo-hoo! Cry me a river! You should be grateful for the fact that your bank even bothers to contact you to let you know that your card may have been compromised. I can only imagine the hissy fit you would throw over the very *real* inconvenience you would face if your card had been compromised and if someone was using your information to purchase items without your consent.

      I, for one, am grateful for the fact that the bank my sister and I belong to takes the time to inform us that our cards may have been compromised, and that we should register new cards. I, for one, am grateful for the fact that my bank looks out for its customers.

      Maybe you should try being *grateful* for a change, instead of boo-hooing over what is only a *slight* inconvenience compared to an even bigger inconvenience.

    3. ida tarbell

      If they called everyone and issued new cards, who got left out beyond the factophiles like myself, who insist on knowing everything possible and scour the papers and internet each day for the arcane bit of new knowledge.

  2. JJ

    Disclaimer: I work for a large bank. My opinions are my own, not theirs necessarily.

    Unless the bank lost the data, which is pretty rare, they are a “victim”. All we get from the card brands is a list of “hot cards”. We have to track down whose cards were swiped and scour the transactions. We are never told who the merchant is. We use reports like these and others to try and figure out where our exposure is and make changes to the fraud detection rules based on rumors. It really is a conspiracy of silence.

    The feds won’t release the information. The PCI Council won’t release any information after the fact such as who got fined and how much. The card brands won’t release any information. It’s all gleaned from news stories and subsequent court filings.

    We foot the entire bill for ordering and replacing the cards. Unless it’s a massive amount of money, probably six figures, the bank and its customers absorb the expense through higher fees and lower profits.

    If they are card-present transactions, we also absorb the loss. If they are card-not-present losses, we at least temporarily absorb the loss until we can get the transactions reversed.

    And it’s only going to get worse. Right now card-present transactions account for about 45% of card-related fraudulent transactions but the dollar value of the losses is higher than card-not-present fraud loss. When EMV goes into effect, card-not-present fraud skyrockets.

    In 2011 in the US card-not-present transaction losses accounted for about $2.1 billion. By 2018 it’s estimated to exceed $6 billion. That would follow the same trend as happened in Europe when they put EMV into effect.

    1. Bruce Hobbs

      And this is why you should be excited about Apple Pay. At first glance it seems to fix the security problems of chip and PIN for both card-present and card-not-present transactions. And it preserves the buyer’s identity even more; the retailer does not even get the buyer’s name in the transaction data.

  3. JJ

    I shall pass along two pearls of wisdom I’ve learned over the years:

    “If you think technology can fix security, you do not understand technology and you do not understand security.”

    and

    “Security problems are rarely caused by the technology and almost always by the implementation.”

    In the first, the premise is that the technology is usually what caused the security problem so it can’t fix itself (clear text transmission and storage or excessive rights being required, for example).

    In the latter, the premise is that the security problems are not caused by the technology but rather but how people took shortcuts (turned off encryption because it slows down transactions and backups, incorrect access controls, not changing default credentials, or simply the use of controls that were effective five years ago but are laughable today).

    In both, people created the technology and implemented it.

    It’s all a matter of numbers. There are some two billion people in the world with Internet access. You can have a crack team of thousands of people building what they think is a bulletproof technology and implementation.

    But once it’s implemented there will be hundreds of thousands of people around the world trying to circumvent it, around the clock. And if the crack team creates a product to sell, all bets are off on how the customer will implement it.

  4. Me

    Good to know that the average Ivan is partaking in the sanctions against the west.

  5. Terrance McCann

    Given how lucrative this criminal activity is I don’t expect it will ever be defeated. The Good Guys will patch (eventually) the hole that allowed the Bad Guys in but the BGs will find another exploit.

    Assuming my premise is correct, is there any way I can periodically search for my accounts on the market?

    Terry

    1. ida tarbell

      There’s an 800 # on the back of your card for customer service. I called that and had the card company route every one of my credit card transactions in both text messages and emails to me. The text message number was a google voice number that keyed text to a cell phone, email and my GV website, where texts, voicemail recordings, even transcriptions of voicemail recordings are kept all the way back 2009, are kept. The text number hasn’t worked, so I gave them another cell # to use instead.

  6. ida tarbell

    How do I get a look at the website where the hacked credit cards are for sale. I saw a spot on CBS which showed the cards on an HD screen as a newsman, and perhaps Krebs, I’m not sure, discussed them. The Milwaukee Journal Sentinel took a snapshot of all the Home Depot stores in Wisconsin and posted the number of cards for sale and at risk at the snapshot moment, but I can find no access to the supposed ‘hidden’ website. Where is it. I want to go on it and find the names of friends and warn them.

  7. Scared Canadian

    My credit card company wouldn’t cancel my card and give me a new one when I called to say I had shopped at Home Depot in August and paid with the card. They said they had “inside information” that the target of their breach was a certain type of card and that the Canadian credit cards were chipped and they could not be used for any type of scam as no information is accessible for “chipped” cards and their target was the ‘unchipped” cards like in the US. Does anyone else have any information about how “chipped” cards could be breached and if I should press for a new card, or will this not solve the problem, and they have my name ect? What happens when they “shop” my card on the online hack list? Anyone know? The credit card rep said, “It was ‘all hands on deck” for them when the Target breach went down, but for this one, there was limited security focus at their credit card company…should I trust that and not worry? Thank you for any help you can give. Worried:(

  8. pipe à fumer

    These days inside the global of party and exciting the Hookahs have come to be very well known. Everywhere yourself move your self can look at a parlor of Bongs. Still they are not merely employed for getting exciting inside of some sites Smoking cigarettes Pipes are on top of that employed towards make a person healthy and comprehensively suit once again.

  9. Dean

    I can not believe that Home Depot has taken NO action to solve this problem.

    Management acts like business as usual and other than a “free credit report” their message to the public is we are sorry! Really!!

    This morning I saw that the hackers are now putting our credit card data up for a quick end of Sept. sale. Looks like just another Home Depot sales scam.

  10. ida tarbell

    There are so many home depot credit cards for sale, at such low prices, there’s a suggestion they won’t all be sold. Demand appears to be low. Too much product in the marketplace. I have a cousin who’s shopped at Home Depot with his credit card. He’s not doing anything special about it. There are too many cards out there.

  11. Morgan Lee

    I second you ida. I had the same experience as your cousins when i was in USA for my exchange program. I am originally from Malaysia and if I now compare the financial institutes of two countries, I think USA needs to improve.

    Not that we don’t have any complaints; sure we do but then USA is advanced country and Malaysia is still progressing!

Comments are closed.