September 18, 2014

Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record.

pwnddepotThe disclosure, the first real information about the damage from a data breach that was initially disclosed on this site Sept. 2, also sought to assure customers that the malware used in the breach has been eliminated from its U.S. and Canadian store networks.

“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the company said via press release (PDF). “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”

That “enhanced payment protection,” the company said, involves new payment security protection “that locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.”

“Home Depot’s new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms,” the statement continues. “The encryption project was launched in January 2014. The rollout was completed in all U.S. stores on Saturday, September 13, 2014. The rollout to Canadian stores will be completed by early 2015.”

The remainder of the statement delves into updated fiscal guidance for investors on what Home Depot believes this breach may cost the company in 2014. But absent from the statement is any further discussion about the timeline of this breach, or information about how forensic investigators believe the attackers may have installed the malware mostly on Home Depot’s self-checkout systems — something which could help explain why this five-month breach involves just 56 million cards instead of many millions more.

As to the timeline, multiple financial institutions report that the alerts they’re receiving from Visa and MasterCard about specific credit and debit cards compromised in this breach suggest that the thieves were stealing card data from Home Depot’s cash registers up until Sept. 7, 2014, a full five days after news of the breach first broke.

The Target breach lasted roughly three weeks, but it exposed some 40 million debit and credit cards because hackers switched on their card-stealing malware during the busiest shopping season of the year. Prior to the Home Depot breach, the record for the largest retail card breach went to TJX, which lost some 45.6 million cards.


142 thoughts on “Home Depot: 56M Cards Impacted, Malware Contained

  1. Dan

    If the stolen card numbers are used to forge cards which are then used to buy merchandise, where is the merchandise sold to get the cash? With so many stolen card numbers there must be a huge black market in merchandise bought with forged cards. I assume small high value items like i-phones are favored by the thieves.

    1. Tim McCracken

      I, too, would like someone with more knowledge on the subject (ahem Mr. Krebs) to shed some light on this. It’s easy to just say they buy Xbox Ones for ~$400 and sell it for $300 for a quick turnaround, but I imagine any fraudster who does this kind of credit card fraud as a source of income has a more intricate operation in place.

      1. BrianKrebs Post author

        Much of the stolen merchandise goes back to Russia and Ukraine and other parts of the world where these same goods go for much more than what they can be resold for here in the United States. In this way, fraudsters overseas can actually amplify their return.

        The stolen goods typically exit the country via reshipping mule programs, of which I’ve written about here extensively. Increasingly, this is done using USPS labels that are paid for with cash (not stolen cards) by front companies operating in the US and created for the purpose of buying postage and accessing the banking system here in the US. These reshipping operations + “white label” shipping systems allow the fraudsters to evade the steep tariffs that Russia and Eastern Europe typically slap on new luxury goods such as iPhones and iPads and Xboxes.

        I recently wrote about this giant money laundering and profit amplification scheme in detail here:

        http://krebsonsecurity.com/2014/08/white-label-money-laundering-services/

        1. Matthew F.

          Guys, seriously, ebay. Its that simple. Those card numbers were more than likely sold, and the people buying them went out and more than likely bought gift cards to trade for bitcoins or to use to get stuff.

    2. Soy Tenley

      They ship them to their “business partners” via people they have recruited for shipping.

      It’s a job scam that has been around since before the Internet.

      In my early days of using the Internet (after 1996) I would get an email a month or so trying to solicit me to be a shipper. My job was to receive shipments from these people and then repackage the contents and ship to other addresses they provided. I had read some of these addresses were overseas.

  2. Eva

    Offering ‘free credit monitoring & ID theft protection’ after failing to do even basic data security is like punching me in the face and then offering free health care. Also, how about a list of exactly WHICH stores were impacted and which were not. Tired of this. Going cash only.

    1. Jeff Warnica

      Closer to a free bandaid, which will help block the next guy that punches you in the face.

  3. IA Eng

    What REALLY gets me is the NY Post writing on 9/19;

    “Then, in 2012, Home Depot hired a computer engineer to help oversee security at its 2,200 stores. But this year, as hacks struck other retailers, that engineer was sentenced to four years in prison for deliberately disabling computers at the company where he previously worked.”

    HA ! to me, it doesn’t have to be much to make a “hole” in a network. All it takes is one computer or server to have a security flaw that some one can exploit from the outside, and then the crooks have a landing pad.

    I wonder where else this………. insider threat worked at/for.

    1. Coolac

      IA Eng: Thats not surprising at all……I always assume its an insider threat. I’ve always said that about game companies that get hacked too. All the cheats that some hackers sell, probably starts with an insider leaking code.

      Kids i know that use to print stolen credit cards many years ago, always told me they would give an insider at the bank a cd to stick in his computer, and the guy in russia would pull the cc numbers.

      A gas station in the sticks, or a small corner store, is another story. But Its pretty hard to believe that guys can easily get skimmers or usb sticks into machines at banks or retail stores, that have security, with noone noticing.

      I mean if its not an employee clicking a bad email link, then someone is most likely purposely sticking a bad drive in a computer, 9 times out of 10.

      I mean lets face it, contrary to the belief most Americans have that online transactions are less safe, its the cashiers and tellers in these stores and banks, that are the ones most likely to steal your credit card number. Way more then the chances of a cyber attack, imo.

      1. John Andrea

        I lost most confidence for internal security measures when the NSA allowed USB drives in their machines! Epoxy is a cheap and very effective solution to that! Unfortunately, most companies, both those buying and selling security products and services, think things are secure because they have a big price tag. And on top of that remember change by definition is good so we’ve done our due diligence. We have unfortunately lost common sense, proper procedures, and strict adherence to both.

  4. John Andrea

    It always brings a smile on my face to see how quickly companies like Home Depot can “confirmed that the malware used in its recent breach has been eliminated from its U.S. and Canadian networks.” Not only that but “The company also has completed a major
    payment security project that provides enhanced encryption of payment data at point of sale in the company’s U.S. stores, offering significant new protection for customers.”

    Shouldn’t it interest all of us that this significant change happened from September 2 – September 18? I’m sure that Home Depot and all other companies where we swipe our cards would have taken these steps if only they knew this kind of thing existed in the world! Things like this leave me shaking my head. One would think the “leaders” of these companies would want to protect the bottoms of their customers or even their own bottom lines yet they show complete disregard for both.

    Of course, they’ve figured out how to get high paying jobs and I’m here writing to you!

    1. IA Eng

      A Bottom line : Profits.

      In the end, any breached entity is/was it in for the money. To me, they seem OK with having lax security measures, and Ok with raising their hand and saying, OOOPs, “we” fell victim too.

      Data breach findings is either a well kept secret, or companies just want to ride the gravy train until their pants are pulled down.

      Why wouldn’t the secret service, or other entity come out and tell the retailers the exact cause of the breach. The could generically say, it was caused by using this type of software and version, and if others are using the same thing, a work around to combat the issue. Its ludicrous to think this is going to stop any time soon.

      Large and small companies don’t want to throw cash at the network security folks, just because they “might” get hacked. If there are any CISSP’s that are working at these major organizations and are flying by the seat of their pants, they should be ashamed of the lack of due diligence and due care involved in something like this.

      Its up to the company to lead by example. In the end, people will return and shop at the stores, so the companies know if they set a slightly higher price point on the thousands of products they offer that they can make up any losses in record time. The changes don’t have to be much in order to rack up some serious cash when millions of people shop at the establishment a year.

  5. John Andrea

    I have a couple questions after reading the Home Depot response that perhaps some of you might be able to answer.

    1. “The encryption project was launched in January 2014. The rollout was completed in all U.S. stores on Saturday, September 13, 2014. ” I’m wondering how the stores did that had the encryption implemented between Jan and April when the breach started. Are cards used there appearing on the lists of stolen cards?

    2. “EMV “Chip and PIN” technology, which began rolling out in early 2013 and already exists in Canadian stores.” Since the Canadian stores already have Chip and PIN, am I right in assuming that this breach wasn’t stopped by it or the cards using it aren’t the ones stolen?

    And one observation. The space used describing the breach and the action they’ve taken is less than the space used describing how great Home Depot is and how they are still on track to meeting their fiscal goals. Of course they are in business to make money, but they need to remember where that money comes from and take care of their customer who make their bottom line.

    1. LeeA

      John:
      1. Unless their encryption project involved moving to hardware based encryption, they are still vulnerable to RAM scrapers for the short amount of time that it takes for the software to encrypt the data. Also, if they have not moved to HW encryption with their processor managing the keys,(i.e. Tokenization would require this.) then the card data would/must be decrypted internally before it is transmitted to the processor for authorization. Still has exposure.
      2. EMV only protects against the use of ‘fake cards’. It doesn’t protect against theft of track data as long as a merchant is still accepting mag stripe cards. Beware! Most European/Canadian merchants who still accept your American non-EMV cards, will swipe your track data and probably are not applying the PCI DSS prescriptive security measures for those. The good news is that many of them keep the swipe and authorization solely with the processor and will make the link only with a transaction code to the POS system.

  6. Brett A. Hansen

    There has been several comments made that self-checkout kiosks are easier to hack than standard POS systems. Other then being unmanned, what makes a self-checkout easier to compromise? If the above statement was true, wouldn’t we see more of it before now? This is the first major report that has hit the news.

  7. Steve C

    Scooted thru Home Depot at lunch today (cash transaction)….cashier commented on reduced credit card use by customers.

  8. E.G.

    I haven’t clicked any online ads in ages, for this reason. Got nailed a couple of times with surreptitious repeating charges, charges hidden in the fine print. I made it a policy from then on to never, ever click a solicited ad again–and as a sidenote, both were on Yahoo.

    Mail-bombing their contacts, website, the BBB and their owners (you CAN find these things on the Web about them) always got me out of it within 24 hours. They couldn’t refund me fast enough. But I won’t go through that hassle again.

  9. LeeA

    Not sure why there is still so much confusion over the liability of stolen cards. No cardholder in the US should be out any money for fraudulent charges to their stolen card. It can be a pain in the behind and can cause inconveniences, but the banks bare the liability for any charges and the merchants will face fines from the banks. I had to replace my main debit card because of this Home Depot breach, and I have shopped there since with my new credit card. Same with Target. Wake up America. You should be really concerned and vigilant on any potential social engineering scams if your personal data is stolen. More people should be concerned about that rather than credit card thieves. Banks could have greatly reduced this current issue by getting rid of the mag stripe quicker and implementing their own processor controlled security. i.e. Chip and PIN, tokenization, etc…

Comments are closed.