September 18, 2014

Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record.

pwnddepotThe disclosure, the first real information about the damage from a data breach that was initially disclosed on this site Sept. 2, also sought to assure customers that the malware used in the breach has been eliminated from its U.S. and Canadian store networks.

“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the company said via press release (PDF). “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”

That “enhanced payment protection,” the company said, involves new payment security protection “that locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.”

“Home Depot’s new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms,” the statement continues. “The encryption project was launched in January 2014. The rollout was completed in all U.S. stores on Saturday, September 13, 2014. The rollout to Canadian stores will be completed by early 2015.”

The remainder of the statement delves into updated fiscal guidance for investors on what Home Depot believes this breach may cost the company in 2014. But absent from the statement is any further discussion about the timeline of this breach, or information about how forensic investigators believe the attackers may have installed the malware mostly on Home Depot’s self-checkout systems — something which could help explain why this five-month breach involves just 56 million cards instead of many millions more.

As to the timeline, multiple financial institutions report that the alerts they’re receiving from Visa and MasterCard about specific credit and debit cards compromised in this breach suggest that the thieves were stealing card data from Home Depot’s cash registers up until Sept. 7, 2014, a full five days after news of the breach first broke.

The Target breach lasted roughly three weeks, but it exposed some 40 million debit and credit cards because hackers switched on their card-stealing malware during the busiest shopping season of the year. Prior to the Home Depot breach, the record for the largest retail card breach went to TJX, which lost some 45.6 million cards.


142 thoughts on “Home Depot: 56M Cards Impacted, Malware Contained

  1. Terry Bowden

    Home Depot cards = 56M
    TJX cards = 45.6M
    Target cards = 40M

    Top 3 total = 141.6M
    US population 320M

    Hands up anyone who has not been affected.

    1. Nathan

      Haven’t been affected by Target or TJX.

      Still waiting on Home Depot, and checking my credit card activity several times per week.

      1. Jason

        Why keep checking your account and wait for an abuse? If you used your card at any breached retailer, call your CC company and tell them that you suspect your card number may be compromised and you want a new card overnighted to you. I have done this each time, and sometimes they balk at the overnight – but I tell them I use the card all the time and cannot wait a week to get a new card.

        1. Jim L

          Don’t bother to cancel your credit cards – just monitor your statement. If you see a fraudulent charge, let the credit card company know and they will take care of it. You are not out any money.

          On the other hand, debit cards are a problem because your bank account can be drained. I am seriously considering stopping all use of my debit cards. While my bank will restore funds, I have to wait for that to happen.

      2. Darrell B.

        I just went ahead and canceled all of my cards. This exercise will make me think about what cards I use, and where.

    2. MC

      According to creditcards.com, there were 775 million “general purpose payment cards” (meaning credit plus debit) in circulation in the United States as of the middle of last year. Good point however, that damn near every person will have been hit by now.

      I’d wager that all of the cards affected by the TJX breach way back when, and nearly all of the ones hit at Target last year, have already been replaced. It’s time to leave this IT game behind and get into the plastic manufacturing business.

    3. BillC

      Good observation. Which is why I’ve cancelled/re-issued potentially exposed credit cards immediately after each of these events (Target, HD, etc.) have been reported. A bit of a nuisance, but the credit card companies have been anxious to get the new cards in my hands quickly!

      1. Andrew

        I feel pretty fortunate; my financial institution of choice does some limited monitoring of my credit card to begin with. It’s mostly/all automated, but if any questionable things show up they call and confirm before it comes up as approved. I ordered something once from Texas, and of course my card was charged in Texas. In literally minutes, my C.U. was calling me and asking if I had made such a charge.

        I was not affected by Target as I don’t go there, never been to P.F. Chang’s, don’t have a reason to go to a Sally Beauty, didn’t ever visit Harbor Freight in their timeframe, but I most definitely visit Home Depot plenty. My C.U. identified my card (and likely all others from them) had payments done to H.D. within the attack window, and have automatically sent me a new card. My old one remains valid until I receive and activate my new one, then the balance from the old one will automatically transfer over. Of course, if any suspicious charges show up in the meantime they’ll be dealt with.

        I can’t even remember if I used a self-serve POS at any point. I think I used one once but I can’t recall if that was at H.D. or Lowe’s to be honest, either way I’m glad my C.U. decided to remove hassle from me (and also minimize their risk of biting the zero-fraud-liability bullet).

      1. Ole bin Login

        Yep dont shop at the one that have been compromised, go somewhere else that has not announced a compromise yet! Odds are you now safer to shop at target HD or TJX!

        Its not if they get compromised its when they get [ or notice] a compromise!

        1. pegr

          You’ve made a parsing error. Here, let me make it clear for you:

          “(I) don’t shop at TJX, Target, or THD. (I am) unaffected – as of yet.”

          Thank you, come again! 😉

      2. lopol

        And you didn’t know this before they released statements that they were affected. So what makes you think places were you do use your cards havent been affected? because they haven’t released a statement yet?

        Come on dont be one of those ” i have nothing to hide” and think closely about what one can do with credit card information.

        “Hi sir how can i help you”
        “I’m having trouble signing in to my account”
        “Yes sir could you verify the last 4 digits of your credit card”
        “****”
        “thank you”

        1. pegr

          “First six, last four” are not considered cardholder data (public).

      3. Larry

        Odds are there’s another major retailer that’s being compromised right now, that won’t notice it for months. You won’t find out who’s being compromised right now until they release a statement in December.

        My advice: use cash wherever practical.

    4. mike~acker

      i got a new card number and i’m not going to activate it. PCI is broken.

      1. Jason

        Not so funny thing: I got a new card years back (2011) when Citibank got breached internally. I only ever used the CC online, and even then used their unique CC number generator (so each retailer got a different CC number for each transaction, and I believe they have a shorter expiration date). So I had a fraud charges show up. I called and reported and they sent me a new card. I received the new card via FedEx and it was sitting on my coffee table for a few weeks – unopened – and yet by the 3rd week I had more fraud charges. I called CitiBank and complained, and they had no response. I told them if they can’t secure or explain why my un-activated new card had fraud charges, I didn’t want their card. I cancelled my account and within another month there was a CitiBank security breach news story. Totally inept company who won’t listen to a customer telling them they have a problem.

        http://money.cnn.com/2011/06/27/technology/citi_credit_card/

        1. Andrew

          I’m sure it was a mixture of talking to the wrong person/people, and outright hubris.

          Some people think that they know more than the person pointing out a perfectly valid issue – like fraudulent charges on an unactivated card. It should have been brought to the attention of someone who actually has a grasp on the implications of this kind of situation, rather than Joe/Joann Representative, who just follows a script and is not comfortable (or maybe allowed) to go outside the boundaries of the perfectly-sculpted, lawyer-approved script.

          And hubris is just another issue of arguably larger magnitude than the previous example. It’d be one thing for someone to be stupid, and pass the stupid buck on to you for it. But it’s another for a person to fully understand the problem, be able to figure out where the likely source is, but either just takes too much pride in the IT security of the company (thinking it’s locked as tight as or even tighter than the vault at the nearest branch office) or taking far too much pride in the company as a whole – thinking it impossible that such an institution could ever get so large and well-known if it were ever attacked, or thinking it “too big to fail,” and hyper-extending this dubious concept from just “sink as a whole” to “not even one little rowboat in our fleet would ever capsize.”

    5. ogwjm

      You thought too quickly about this. There is BETWEEN 56M & 141.6M stolen cards, but you can’t know precisely how much.

    6. Wharrgarble

      [raises hand] The closest I’ve come so far was using a card at a store affected by the Supervalu breach about a week before the supposed start date.

    7. E.M.H.

      Not affected by Home Depot (none in my area) and TJMaxx (don’t ever shop there). Affected by Target only in that a precautionary replacement was made; I never did find my card on Rescator’s dumps. Otherwise, didn’t lose any money or had any illicit charges made.

  2. Frederick Begbeder

    Some cards was stolen multiply times and then selled by two-three times… and what was stolen? any information will be able to use… this is a property of information. and data can be used to “form” in-formation

  3. Sscott

    The breech’s referred to only consider USA interests. Of course other companies in other countries are no doubt being breached undetected.

    1. russ

      Brian understandably focuses his articles on US breaches; I do wonder what it’s like in other countries (more breaches? fewer? what differences and similarities are there?)

      I can imagine that the US gets hit more often due to it having a large relatively affluent population that does a LOT of shopping via plastic compared to many countries, and perhaps also due to English being better known as a foreign language to typical foreign criminals than e.g. German or Polish or Finnish or something.

      1. Reader

        Yeah, Brian. I’m also curious. What’s the situation like in other countries, outside our own USA, with regard to recent data breaches? And foreign-located, domestic company data centers?

    1. Eric

      Visa is rolling out chip-and-signature, not chip-and-pin. And if there is no PIN, then any potential vulnerability related to the PIN number isn’t even relevant.

      1. Larry

        How secure is a signature?

        All the cards I have say “Not valid without an authorized signature”. But I cross that out with a sharpie and print “CHECK I.D.” in the signature block. Is there a reason they don’t use photo I.D. as verfication by default?

        1. pegr

          Technically speaking, the merchant is supposed to decline a transaction if the card is not properly signed by the customer. Me? I haven’t signed the back of my card in years. I’m still waiting for someone to say something. No one ever has.

        2. Old School

          The following is advice that I have used since I received it in 2007: ” Do not sign the back of your credit cards. Instead, put “PHOTO ID REQUIRED”. ” The few times clerks have checked the back of my card in the last seven years they have just asked for my photo ID so I produce my drivers license. I never have had a problem.

          1. Andrew

            This is pretty sound advice.

            A signature doesn’t seem to mean as much in general these days but it can still be pretty important for some things – and it’s still worth limiting “access” to it.

            If someone tries to steal your identity, limiting as many unique attributes about you as possible is important. There are still some things that require a signature – if nothing else, just proof that you accept the terms of a contract. Now if someone were to find your card on the ground, if you signed it, they now have something to work from to forge a signature. Some things which require a signature, if you can provide good proof that that ISN’T your signature, you may be able to reverse the particular situation on your way to repairing your good name.

          2. Reader

            Writing “check identification” does nothing to prevent your card from being used or copied. Clerks are under no obligation to check that what you’ve written isn’t, in fact, your actual signature. Only if the signature block is unsigned will the clerk be responsible for the cost of fraud, generally; but you’ll be in more trouble (see below).

            Writing “check identification” violates card agreement terms, which means that you forfeit all protections usually associated with such cards.

            It’s also fraud to purchase goods with an unsigned card, as the signature on the card indicates your agreement with the terms of its use, including payment for charges. Essentially, by purchasing goods without agreeing to pay, you’ve stolen those goods through fraud.

            A store clerk has every right to contact police and report you for fraud, theft, and unauthorized purchase, when you present an unsigned card. They’re also within their rights to keep evidence (the card and surveillance of you) of your fraud, as well as to (in many locales) physically prevent you from leaving the store with stolen goods.

            So good job, asshat. Just sign your friggin’ card or leave it at home, if you’re so scared it’ll be used without your permission.

            1. Robert.Walter

              I don’t recall seeing these issues in any of the terms and agreement documents I have read from the major credit card companies., most recently 26 pages from AMEX.

              My recollection is that by activating the card and using it, the cardholder tacitly agrees to the card issuer’s T&C.

              If you are not too busy hunting an asshat in a mirror, Id appreciate if you would back up your assertions with a couple of citations.

          3. bob

            That method is by no means full proof, but its better than just using your signature. Anyway, the theives can still print another card, use someone else’s stolen card, or a prepaid debit card then encode your credit/debit information onto those cards. They can also use it online.

    2. icknay

      Chip and Pin doofus here!

      That research refers to a way to get around the PIN requirement to use an EMV card — i.e. the mugger runs off with your card and uses it. That case is actually kind of rare and totally different from the magstripe-breach case we have here. EMV cards perform great vs. magstripe-breach as it happens. Actually the issuers have decided to give out USA EMV cards without PIN at all, so that research doesn’t apply like 2 times over! Many think that the issuers are dumb to leave out the PIN, but that’s what we’re getting.

      1. JCitizen

        gyre is right Cow-chip-N-Pen is a big expensive mistake that is TO BID TO FAIL, and I’m NOT paying for it!!!

        February 2008
        http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf

        February 2010
        http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html
        ” ”
        http://news.bbc.co.uk/2/hi/science/nature/8511710.stm
        September 2012
        http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

        Video summary of above report
        http://www.bbc.co.uk/news/technology-19559124

        (Source http://nc3.mobi/references/emv/) Posted by Jonathan E. Jaffe

        Also Cow-chip-n-pen

        http://www.theregister.co.uk/2014/05/19/chip_and_skim/

        1. Eric

          You can keep beating on that dead horse if you want to (I presume there is some other technical solution you like better), but the fact of the matter is that the industry is in the process of rolling out EMV in the U.S. The time for evaluating other solutions is long past. Deal with it.

          1. JCitizen

            Fine! If they pass that huge failure and expense to my pocket; I’ll just quite using credit cards all together. I grew up when they didn’t even exist and everyone was actually better off financially for it!

            1. Andrew

              That is actually quite true.

              1.) No credit card system to defraud in the first place, and

              2.) One less line of credit for people to bury themselves with under debt. Used PROPERLY, it’s actually a great tool for building your credit score. But a lot of people just act like it’s a “free money card” and then wonder why they have bill collectors calling 16 hours a day.

              1. JCitizen

                Thanks Andrew;

                There is better technology out there, like MagnePrint and PassWindow. Perhaps merchants should consider self checkout where the customer is technically going online to pay for merchandise. Of course with the new Apple system coming out, that may take over just because of popular demand, and not whether it is secure or not. Credit cards may quickly be replaced by even more insecure smart phones!

  4. TheOreganoRouter.onion.it

    I read that Home Depot was using a outdated version of a Enterprise Symantec Antivirus on their P.O.S. computers.

    Just the facts.

    1. Phil Cooper

      Not to put too fine a point on it, P.O.S. terminals running Microsoft Windows. How lame could they be? I would have expected them to use BSD or a special, security-hardened version of Linux.

    2. Jim

      Updated Symantec, or not, A/V bypass is not too difficult, and if I were taking the risk of penetrating a company as large as Home Depot–I’m re-writing whatever exploit I’m using so that the signature isn’t detected by any current malware (which isn’t too difficult). A software white list solution would be much better than A/V, especially for something like POS terminals. Still, both could be bypassed by malware running fully in memory.

      As for XP embedded–it’s not end of life. It’s still supported and getting updates and patches. Yes, you could go with a *nix solution, but what specifically makes a hardened *nix any more secure than a hardened Windows box? Just because it’s open source, doesn’t mean it’s more secure–just look at Heartbleed. Plus, there are plenty of Metasploit modules out there for *nix boxes–IMO security depends a lot more on proper configuration and base-lining than the type of OS someone is implementing.

      1. Andrew

        I agree – A/V solutions seem to be at least 75% reactive rather than proactive. There are solutions that use heuristics to try to have some sort of proactive measures, but it’s hit-or-miss. For reactive response, the virus would first have to successfully be on your system and a scan run before it’s flagged, or “semi-reactive,” where it sees the virus going on and then flags it, but it’s already on now.

        Hardening points of entry is where it’s at, and this is not A/V’s strong suit. Really we’re comparing A/V to firewalls and the like here – a firewall being something that’s designed to prevent intrusion from ever occurring and thus being a proactive security measure. There are other tools, whether it’s monitoring traffic with packet sniffers, or any other of a number of tools and tricks, to help lock down a system at least more securely. A safe may still be stolen from a store, but it’s far more difficult if you at least put some bolts from it to the floor!

        One thing I would think to do would be to lock down the allow/deny list on what POS systems can talk to. Of course, they might talk to each other, and obviously to the store’s main system. But from here, what access should the main system have? It should have access to corporate/regional, and any things expressly needed for functionality – a whitelist that specifically includes just the bare necessities. Communicating to/from financial institutions, and receiving software updates that are passed from the software company to the stores, rather than received at corporate and trickled down. ALL other traffic should be blocked, at all times. There is no need for anything else, and if there really is, there should be a completely-segregated network that’s allowed more public-facing access.

      2. bob

        A *nix system can provide many benefits security wise over windows. For one it has stronger and more flexible access control. In addition, many distros (if not all) provide a built in firewall (iptables). Moreover, the enterprise *nix has a stronger remote access software (ssh). Further, the package management system makes managing software updates MUCH easier. Instead of updating each program separately one can can update everything at once with 2 commands additionally all software installations and updates are authenticated automatically.

        Aside from the features I mentioned above there are several kernel patches to harden the system even more. One such patch is grsecurity.

  5. Politically Correct

    That’s what they get for showing us that politically correct “BAREFOOTIN” commercial over and over again.

    Cramming different races into disturbing social scenarios will get you hacked every time.

    1. Politically Corrected

      There’s a rock out there with your name on it. Crawl back under it.

      1. Wigga Baby

        He has a point. Minorities are offended by this type of phony advertising. I live in a diverse neighborhood of Los Angeles and never see social scenarios like that. Looks like these sponsors on cable television don’t care about making realistic ads.

        1. Jeff

          Funny you should say that. My ex is the black woman in that commercial, and while I try not to speak for my significant others – especially the exes – we both agree with you. She still lives in LA, and I used to, and while we’ve been to ethnically diverse social scenarios (I’m white, so we were an ethnically diverse social scenario :), they are rare and definitely not like what they are in the commercials. And yeah… the Barefootin’ thing. Sigh.

          1. Rich

            I agree. We used to live at the shore——Jersey shore. It is not at all like the clowns portray in “Jersey Shore.”

  6. Ria

    message I rcv’d from PNC Bank Monday night
    “Our research has identified you as one of those individuals who made a purchase at a Home Depot store using a PNC debit or credit card during the time in question. We are currently investigating the situation and will advise you if there is a need to replace your card.”
    “We also strongly recommend that you review your PNC Bank account statements and online transaction activity on a regular basis.”
    Having had fraudulent charge of $4015.00 on my Visa in July which resulted waves ok Anxiety attacks I wasn’t waiting for anyone to advise me of anything. I called them and told them to cancel our cards now!

    1. IA Eng

      Put a cap on your daily expeditures. I have mine set to $400.00 on cards that I use daily. Worse case scenario you’d lose 400 bucks, one-tenth of what you lost before.
      Should you need to make a bigger purchase, all it takes is a call to the bank.
      I have 2 CC’s I use. One for big purchases that happen occasionally, and the other is for daily/weekly purchases.
      I refuse to use debit cards at most locations. I stopped using checks about 5 years ago. Those have direct links to your bank account.

      1. Jason

        A cap of $400 would be a pain for me, especially at Costco. Shoot, I’ve bought cars with CCs.

        Instead, set email/text alerts. Does your Bank/CC not let you set email alerts? Time to switch companies. Every CC/Bank I have an account with has an email/text alert system. I know within minutes of any charge over $300. Much of the time I know within seconds of the transaction.

    2. Brown

      What difference does it make? $400 or $4000 either you you’re not responsible.

      1. Phil Cooper

        What difference does it make? When credit card fraud happens, ultimately all of us end up paying for it through higher cost of goods and services. It’s that kind of “I-don’t-care” attitude by merchants and Web site operators that has made the huge security breaches of recent years possible and recurrent.

        1. brown

          I’m sorry but the amount of fraud occurring is nothing compared to the expansion of the money supply. Increaing prices are mostly due to inflation of the money supply. The effects of fraud are negligible.

          1. Andrew

            But how might the economy be negatively-impacted as people start losing confidence in the convenience of the card vs the risk imposed? Cash is always welcome at brick-and-mortar, but isn’t exactly an option at online retailers. PayPal can be linked to an account and used pretty much like a debit card for online payment situations, but again this is another potential compromise point – and it has been before.

            Amazon alone runs in the high double-digits of billions of dollars in revenue a year. If say 33% of people making regular purchases become far too afraid of the system to keep using anything besides cash (and just biting the bullet and doing some traveling to do some shopping if they don’t live in the city), that’s easily $25 billion in cash no longer circulating. Of course, some of this cash may end up just circulating at a B&M instead, but all those frivolous purchases made just because of the Amazon Convenience might not happen and would still take at least a couple billion MINIMUM out of play.

          2. Robert.Walter

            Why are you bringing up that topic? Out of control QE is not the point being discussed here.

  7. Terry Bowden

    Updating the stats, TJX is quoted at 90 M cards:
    “That makes it the second-largest breach for a U.S. retailer on record, behind TJX Cos.’s theft of 90 million records, disclosed in 2007, and ahead of Target’s pre-Christmas 2013 breach that compromised 40 million credit and debit cards.”
    Ref: http://abcnews.go.com/Technology/wireStory/home-depot-malware-affected-56m-payment-cards-25604885

    Top 3 = 90 + 56 + 40 = 186 M for a US population of 320 M. That’s incredible.

    1. Phil Cooper

      There may be some overlap, so the total number of cardholders is likely somewhat less, although some cardholders may have had their information compromised in multiple locations or had more than one card compromised.

    2. Coolac

      I always say, 1 out of 3 Americans have had credit stolen, so seems about right. Not surprising.

  8. Mike

    Awesome. Started my kitchen remodel in May and finished it in early July. Must have gone to Home Depot 75 times during that time period.

    It’s incredible how common these incidents are becoming. While it is interesting to add up all the amounts of stolen cards in each breach, I’d bet a lot of those numbers have overlapping customers who were breached more than once.

    In the last 2 years, I’ve been affected by the breaches Target, Goodwill, Home Depot, Jimmy Johns, Chase, Nationwide Insurance, and probably others that aren’t coming to mind right now. Not to mention the ones I don’t know about.

    It’s almost at the point that I don’t even care anymore.

  9. Alex

    Still waiting to see if the $1800 best buy charge in a city 6 hours from here on my card was due to home depot or something else. Will my bank be able to tell me? I did purchase stuff at home depot in the time, but never did self checkout.

    1. brown

      Your bank won’t tell you where your card was compromised, mostly because they don’t know for certain. Just because you were at Home Depot doesn’t mean you weren’t also somewhere else that was also compromised but just not in the news.

      Skimming operations and data breaches occur every minute. At any one time 20%-40% of a bank’s active accounts are listed on some form of alert. Most of the time the fraud rates don’t justify the cost to reissue so they just monitor them.

      The bank also won’t tell you where your card was compromised due to liability issues. Especially since they don’t know exactly wherenit happened.

      1. David

        @Brown

        I can’t speak for the US but in Canada the banks know. They also won’t tell you. The fraud teams know but the agent that calls you won’t know.

        I had access to the fraud systems at one point and can tell you that we could pin down debit fraud to an individual ATM or store.

    2. Andrew

      But what exactly are you waiting for? Have you not already reported this as fraudulent, and asked for a new card?

  10. nov

    “But absent from the statement is … information about how forensic investigators believe the attackers may have installed the malware mostly on Home Depot’s self-checkout systems …”

    Nor: Any mention of certification of the whole Home Depot (HD) network of the likelihood that it won’t have malware placed on it again (and breached again). As a consumer of HD what do I see: The same network, with encryption added and a network that had personal information grabbing malware on it. There is nothing said about why I should trust that malware is less likely to be placed on it (again). From a network security perspective there is nothing leading me to trust that the HD network didn’t have a higher-level internal breach (of like server administrative permissions) and that the network as a whole is (or is not) more secure.

  11. Robert.Walter

    ““The hackers’ method of entry has been closed off,”…

    This will not be true until the CEO, CFO, CIO all get the sack.

    Either they are all asleep at the switch, or they saw what happened at Target, and failed to learn from it.

    Indolence and/or Incompetence and/or Arrogance doth not good C-suite qualities make.

    1. Rich

      Apparently someone did look…. their statement says they started implementing a new security feature in January 2014. That would put the implementation authorization somewhere around the October-November time-frame. Perhaps as late as December

      1. Ralph Daugherty

        You will always see these incompetent Windows corporate blowhards respond that they have security software that was *almost* ready when this hit. Everytime. It makes them sound like they at least were trying to be on top of things. They never spell out what this security software is and how it would have prevented it. In general it’s a weasely statement that sounds good and doesn’t mean anything, the same as all their other statements.

        They also say this was custom malware that AV software didn’t detect, as if running Windows and depending on AV software to detect intrusions is a given. I hope this cost these corporations run by incompetent pseudo-IT peole a lot of money. That’s the only thing that will force them to use professionals.

  12. Paul

    28 digits between you and your money, enough said.

    Also the system is self regulated in such a way that the networks make money no matter what kind of transaction.

  13. Marc

    There are many more ways the card data is getting into the wrong hands. Macys had a major problem with their Amex cards getting cloned (Starbucks reloads seem to be the “tell”) — I’ve had my card replaced 3 times this year, and I’ve not used it since last summer.

    I’ve had several MasterCards also cloned and used overseas. Those cards are also in my “sock drawer” and don’t get used except for 0% balance transfers.

    The problem is way bigger than just these well publicized breaches. Maybe these are the tipping point to push the whole system towards positive change.

    Gotta hand it to Krebs for getting out there with this stuff!

  14. Dave Spencer

    This year I’ve had my debit card replaced three times. Twice by my bank and once by me as a pro-active measure. To date I have not lost any funds but I just consider that good luck so far. As a result of all these “breaches” I’ve changed my purchasing behavior: I’ve stopped using my debit card as a debit card and instead solely as a credit card. I go over my statement several times a month now as before I had just let it ride.

    What I’d like to know as this point is who still is using POS terminals with Windows XP embedded in them? I’d like to know because I want to avoid those merchants like the plague. Furthermore, where’s the blow-back any more on this? Target took a big hit when their breach made the news. Home Depot doesn’t seem to have even raised an eyebrow. This ambivalent attitude toward criminals stealing everything electronic has me confused and outraged.

    1. Old School

      “I’ve stopped using my debit card as a debit card and instead solely as a credit card. ” But the debit card number is still “out there”. A humble suggestion: Get a “cash back” credit card. Only use the debit card for debits at an ATM that is in the lobby of your bank. Remove any credit card capabilities from your debit card.

  15. NotSA

    How many insiders were involved? At least when more jobs are eliminated security might improve. It’s so bad that job loses will be a big plus.

  16. Canuck

    Asked my neighbour today if he had shopped at Home Depot during the breach times and he said he had but didn’t care – he said, “My credit cards are always maxed out anyways – good luck to them getting even a six-pack with it!”

    1. lopol

      Ya that attitude is sad. Because he doesn’t know what more they can do with his cc information. :/ It’s not just buying things! It’s getting access to a whole lot more information!

      1. Larry

        Agreed. The more I learn about breaches like this, the more I realize how seemingly harmless info about me could be used to hurt me.

        If an attacker can reset the PIN on your maxed-out credit card, couldn’t they also request an increased credit limit on that card?

        1. timeless

          Probably, but if you’re lucky / unlucky, you wouldn’t be preapproved for a bump. OTOH, the issuer might be willing to do a credit check (which dings you’d credit score) — that’d suck.

  17. Garyh

    Is that 56m unique cards? I probably swiped my card at HD 1/2 dozen times in that period. Do I count for 6 or 1?

      1. MorningCoffee

        Not if you used different cards. Some people have business and personal cards, or multiple of each.

  18. Right Hand meet the Left

    Trying to pull the thread on this one here, so help me with the logic. Card gets breached, data sold on an underground shop, crook purchases gift cards at a big box retail store, uses gift cards to purchase big ticket items. The Bank is aware of fraudulent transaction, can track the date and time of the purchase and tie it to the gift card. Gift cards all have “account numbers”, retailers also track date and time of purchase with gift card. Would their not be surveillance cameras to see the in-person ones? I realize many of these purchases likely take place online, where cameras would not matter. If retailers would strictly adhere to not shipping gift cards to an address where the Address Verfication System does not match, then you would reduce the fraud. I realize that does not promote the idea of a “gift card,” but there has to be a better solution. Maybe the amount of revenue from the legitimate sales greatly outweighs the risk and cost from the fraudulent ones, so profitability (ahem…greed) wins again.

    1. Larry

      “Would their not be surveillance cameras to see the in-person ones?”

      Next time there’s a local crime story featuring surveillance camera footage, ask yourself if you could identify any of the people on camera. Are cameras there to identify suspects, or to record incidents for insurance purposes?

      1. Old School

        Dark glasses and “hoodies”, the criminal’s best friend.

      2. Andrew

        Actually both.

        Because both things have the potential to save the store money (limiting potential insurance claims, and limiting damage from fraud/robbery).

        As an added bonus, sometimes a store that isn’t required by their insurance company to have cameras but chooses to install them anyway may get a discount on their premium – just the same as car insurers do for cars with alarms.

  19. wombat94

    It sounds as if the project started in January 2014 was to turn on encrypt-at-swipe in the payment terminals attached to the cash registers.

    It would seem they were fairly far along with at least a pilot program if they were able to complete that rollout between the discovery in late August/early September and September 13th.

    What I’d like to see from Home Depot is some document of which stores were vulnerable at which time. (Similar to the way Michaels did after their last breach)…

    of course, saying that they “started” the project in January really doesn’t mean much if they were only in a handful of stores testing it out of the 2000 stores.

    1. peter

      Their terminals have chip slots but they are NOT activated !!

      Incredible !!

  20. anonymous

    We all pay. Shirts cost $.03 more, furnace filters cost $.03 more, etc. So indirectly we all pay. Who do think the cash comes from?

  21. Louis

    Chip and PIN is broken, right ?

    Let’s see, where do card frauds happen most… In the US.

    Where has EMV not been implemented at all ? In the US.

    Who says EMV advocates are doofuses ? Oh, yes, I see it coming, in the US… (And UK, we’ll get to it)

    The US and it’s refusal to embark on EMV has led the world’s fraudsters to concentrate where mag stripe data works most, and that is ? You got it, in the US.

    So please, before saying EMV is broken, check out the facts. All countries that have switched to EMV experienced a drmatic reduction in frauds.

    And if you think Cambridge has it better, EMV was implemented incorrectly in the UK, so Ross Anderson’s criticism is mostly concerning UK implementations.

    Anybody who replies EMV does not encrypt, has simply not understood how EMV works, what’s its purpose as a security mecanism

    1. BANKER

      Yes countries that have switched to EMV have seen a decrease in card present fraud, however, card not present fraud has increased. So you exchange one type of fraud for another.

      With card present the Card issuer takes the loss. With card not present the Card issuer may not have to take the loss.

      Banks have taken the majority of the losses in these types of fraud while the merchants who have been breached are not responsible for any of the fraudulent charges.

      I love it when they put the statement “You will not be liable for any fraudulent charges” like they are going to cover those. It is just PR by the company.

      1. Jack

        This time may be different…the fraud just started to hit, not hard enough to get banks screaming yet. The Home Depot may be responsible for fraudulent charges and card replacement fees. We will see many lawsuits in the coming days.

        1. Robert.Walter

          Anybody have a handle on any suits coming it of the other big recent breaches like Target, Jimmy John’s, TJM, Michael’s?

          1. nov

            Quick search shows:

            Visa and Mastercard; multiple Target cases, Case Number 0:14-md-02522
            www[.]law360.com/articles/569067/visa-mastercard-severed-from-target-data-breach-mdl

            Target consolidated case, Case Number 0:14-md-02522
            www[.]law360.com/articles/577909/target-data-breach-ruling-may-guide-home-depot-litigation

            Home Depot, Case Number 1:14-cv-02975:
            www[.]law360.com/articles/578436/home-depot-nailed-with-1st-bank-suit-over-data-breach

            Neiman Marcus, Case Number 1:14-cv-01735 (tossed out a proposed class action):
            www[.]law360.com/articles/578059/neiman-marcus-skirts-data-breach-class-action

            Request for Congressional action:
            www[.]law360.com/articles/570203/credit-unions-renew-retail-liability-push-after-ups-hack

    2. David

      @Louis

      You make a lot of good points but a clarification is in order. While EMV has a lot of encryption, it still makes available something that looks like mag stripe with a small dynamic component that prevents making a mag stripe clone.

      The rest of the data in this faux stripe is the same including the unencrypted card number and expiration date. This data can be used for fraud at online stores that don’t require the security digits printed on the card.

      What most people don’t realize (I’m sure you do) is that their credit card has several different payment mechanisms that while close aren’t the same: EMV, contactless, card-not-present, swipe, and manual.

      My understanding is the whole liability shift is just on chip transactions. Not all transactions on chip cards.

      Each acceptance method has its own controls and risks. Different banks and merchants can implement these controls differently. The number of online merchants not requiring the security digits for instance. And my personal favorite for comic relief are all the American gas stations that loose business because they require a zip code not realizing that doesn’t work if you come from somewhere with alpha-numeric postal codes.

  22. david wilkey

    my guess is the self-server terminals are easier to infect/upload to. When criminals are able to drill into ATM’s to access ports to upload software, I’d guess that POS security is several orders of magnitude weaker. I’d also guess that HD will be keeping quiet about the attack vector.

    1. SeymourB

      While Home Depot sells drills, and drill bits, employees would likely look at you a little funny if you started drilling into a POS terminal.

      They probably infected a server on the back-end, which was then used to infect the POS terminals, similar to the Target hack (obviously there are steps prior to the back-end server infection I’m glossing over).

  23. Kenny

    Judging by the value of the stock, financial analyst are totally clueless…

  24. Mike C

    This appears to me to be a fairly specialized hardware target.

    What are the mechanics for designing this kind of exploit? Would the thieves need to have physical access to a similarly (or identically) configured platform? Does the author of the platform publish a emulator? Does anyone know if the POS computer has a embedded OS? Is there a pattern to the type of platform we have seen targeted recently? e.g. are the POS systems they are breaching all Linux embeds? Windows? XPs?

    1. Phil Cooper

      I’ve read, but can’t confirm, that the Home Depot POS terminals were running a version of Microsoft Windows. The comment here by TheOreganoRouter.onion.it that they were using Enterprise Symantec Antivirus software tends to support that notion. However, Symantec offers antivirus products for Windows, OSX and Linux, so we can’t be 100% sure.

      1. Ralph Daugherty

        The malware is Windows software. None of these corporations that were hit were competent enough to run hardened Linux or better yet flash rom devices.

        Running a Windows PC as a POS terminal is just sheer stupidity. I use Windows at home and at work. To run general purpose software. But a POS terminal is and should only be able to run the POS software. That excludes any installs including malware.

        They should be firewalled to only be able to communicate with one local server, and that server shouldn’t have access to internet. And on and on. This is Security 101 stuff. In my world the server would be an IBMi and no one is going to break into that. But even without that hardened Linux would secure the data. So this is about using secure technologies which requires people that can stretch outside thw comfort zone of Windows. The right tool for the job and all that.

        1. TheHumanDefense

          Ralph,
          Does any of that matter is I simply send a spear phishing email to the right people at the retailer? One email, one click, your owned. Again and again breaches occur because someone is social engineered. If the attacker knows what they are looking for and find a way to get there, all they need is a point of entry. After that, they have all the time in the world to figure out where the vulnerabilities are and plan the attack.
          Technology is a great layer to defending, but we have to stop thinking of it as the only layer.

          1. Ralph Daugherty

            You can sniff around all you want but you’re not going to break into an IBMi server. Or hardened Linux limited to software needed for the job for that matter.

            Maintaining remote communications with a PC on a corporate network to scan for a server to crack should be very difficult with firewall settings. You’d have to do it through port 80 in a reverse proxy environment, would you not? And the software on the PC would have to do all the work of identifying servers, breaking into them, establishing software on the server, and then connecting to the remote IP address. This isn’t what’s going on in these retail companies. They have Windows servers that can be communicated with and hacked imo, then remotely scanning for POS terminals, breaking in, etc.

            Like I say, isn’t going to happen with an IBM i anyway. If you want security you have to run secure software.

            1. The Human Defense

              OK, well I preach a gospel that most people don’t want to hear, but when the intrusion happens and bypasses all of the software security because of lack of creating an environment of awareness, all of a sudden it becomes very urgent.
              Ralph,
              This type of mind set that every enterprise, including the DOD are only one click away from intrusion is not popular. But when you see what I see you’ll know better. Ask any attacker, and they’ll tell you “with enough time, I’ll figure out a way in”

            2. Coolac

              Ralph, imo, windows is not the problem. As many security gurus, and even the linux people will say about the difference between their distros, is that its the users knowledge and configuration of the O/S that matters the most. And that any of them can be just as hardened as another. Windows embedded is just what you said, a windows limited to only software thats nescessary. Its not a desktop O/S.

              Also Snowden robbed the NSA of all their data, do you think it was just a matter of lack security? I doubt it. 9 times out of 10, its someone accidentally clicking a bad link, or it was an inside job, just like 9 times out of 10, imo, its an inside job at these retailers and banks too…

  25. OhioMC

    Will be interesting to see if the nature of the self checkouts played into the exploit.

    Unlike a human operated register, they have no cash drawer which is under CCTV scrutiny. Loitering at an unattended register may not only draw attention but be recorded in detail.

    Meanwhile, someone using the self checkout could reasonable be expected to be all over the station – side-to-side, and using the various interfaces, bagging and occasionally clubbing the machine in frustration.

    So if they used hardware /peripherals as the way to install malware, self checkouts might be easier/safer targets. (???)

    1. Phil Cooper

      The malware was most likely installed over the Internet, with no crooks ever setting foot in any U.S. Home Depot store.

      1. Coolac

        I usually feel the opposite. I think either its an employee clicking bad links and getting his credentials stolen.

        Or its an inside job. If a cash register whitelists software on the usb drive, then what about the desktop computers in the main office? Is the whitelisting even totally foolproof?

        I’m sure crooks are finding ways to buy these terminals and sofware to test diff methods. Or have access at certain stores to make all the attempts they want, before they hit the big ones and give their corrupt employee the payload.

        What about in the case of target and the VAC company they outsourced to? Could someone not stick a usb stick in one of their computers?

  26. JerseyBanker

    No matter how you look at these retailer breaches, it is banks that bear a large extent of the direct expense they cause. No retailer reimburses us when we have to issue hundreds or thousands of customer debit cards due to THEIR lack of security measures.

    I’m not talking credit card companies that make it back in interest charges. Community banks don’t have that luxury. Most small to medium sized banks, like mine, issue debit cards free to its customers to provide access to their accounts. Regulators put us through stringent technology & security requirements and testing, which they absolutely should.

    When are retailers going to be held to the same standards?

    We’ve already had to replace almost 20% of our customer cards, and the Home Depot lists are still coming out. Yes – occasional replacements of individually compromised cards are something we absorb as part of doing business. Just like opening new accounts and replacing printed checks for customers who have been robbed, or are victims of identity theft, etc.

    Hold retailers responsible for the results of their lack of security on the other industries affected, hit them in their wallets, and you’ll see a change in their security methods.

    1. Jack

      Sue these bastards, sue them hard.

      Home Depot was clearly not PCI complaint (even though they may have certificate from some 2 guys shop consultant firm). If you make Home Depot pay $10 billion damages, they will learn a lesson.

      1. Mark W.

        They didn’t have a “2 guy shop” QSA. They’re a global MSSP also. I haven’t seen the name of the QSA mentioned in any article though or what was Home Depot’s state as of their last assessment. The QSA is NOT currently under “Remediation’ status” according to the PCI-SS website.

    2. anonymous

      the banks pay for new cards. they sue the retailer. retailer settles. visa et al pays sunk cost of cpp. visa et al charges retailer. furnace filters cost $.03 more. end of story.

  27. Jeff

    Is Home Depot required to notify customers of the breach? I have received nothing from Home Depot, and have only known about it by following the news. I am guessing some family members still do not know about the problem.

  28. TwoCents

    Here’s my guess: the self-serve terminals had a generic log-on ID and password that the malware writers were able to guess or obtain, and that gave them access to the swipe data on the terminals.

  29. Ulf Mattsson

    Home Depot Relied on Voltage Security – Should Others Be Worried?

    Once again a major breach has hit the headlines – this time Home Depot was infected by the same type of malware that looted millions of credit card numbers and sensitive customer information from Target late last year.

    Why does this keep happening?

    Even with PCI data security standards in place and a big name data security vendor hired on to secure their data, Home Depot failed to protect their business and customers against a known threat.

    The truth is, the failure was not due to the tools available, but the lack of expertise, training and care to apply the right technology in the right way. New tokenization methods can help to protect sensitive information in memory, and combat this latest form of memory-scraping malware.

    It’s an underappreciated value to find a partner that will not only give you what you ask for, but will advise you on best practices and regulations, work with you in designing an effective security strategy, and ultimately help you find and protect your sensitive data with the best tools available.

    The Payment Card Industry Data Security Standard (PCI DSS) guidelines could also have helped them to identify potential weaknesses and close security loopholes. Network design has been a significant issue with large enterprises, but with thorough knowledge and preparation to effectively meet the PCI standards, more breaches can be prevented, and their effects mitigated.

    Technology and regulations only take you so far in securing your business. Finding partners and people with the right expertise, knowledge, and care is the key to get you the rest of the way.

    Ulf Mattsson, CTO Protegrity

    1. Gabriel Goldberg

      The article’s timeline shows that Voltage deployment was in process when the breach occurred and was completed AFTER it occurred: Breach was disclosed September 2, Voltage US rollout was completed September 13 and Canadian stores will be completed by early 2015. Unfortunate timing, of course — but when it occurred Home Depot wasn’t yet relying on Voltage.

Comments are closed.