07
Nov 14

Home Depot: Hackers Stole 53M Email Addresses

As if the credit card breach at Home Depot didn’t already look enough like the Target breach: Home Depot said yesterday that the hackers who stole 56 million customer credit and debit card accounts also made off with 53 million customer email addresses.

pwnddepotIn an update (PDF) released to its site on Thursday, Home Depot warned customers about the potential for thieves to use the email addresses in phishing attacks (think a Home Depot “survey” that offers a gift card for the first 10,000 people who open the booby-trapped attachment, for example). Home Depot stressed that the files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information.

Home Depot said the crooks initially broke in using credentials stolen from a third-party vendor. The company said thieves used the vendor’s user name and password to enter the perimeter of Home Depot’s network, but that these stolen credentials alone did not provide direct access to the company’s point-of-sale devices. For that, they had to turn to a vulnerability in Microsoft Windows that was patched only after the breach occurred, according to a story in Thursday’s Wall Street Journal.

Recall that the Target breach also started with a hacked vendor — a heating and air conditioning company in Pennsylvania that was relieved of remote-access credentials after someone inside the company opened a virus-laden email attachment. Target also came out in the days after the breach became public and revealed that the attackers had stolen more than 70 million customer email addresses.

Home Depot also confirmed that thieves targeted its self-checkout systems, a pattern first reported on this blog on Sept. 18The Wall Street Journal reported that the intruders targeted the 7,500 self-checkout lanes at Home Depot because those terminals were clearly referenced by the company’s internal computer system as payment terminals, whereas another 70,000 regular registers were identified simply by a number.

News of the Home Depot breach broke on this blog on Sept. 2, after multiple banks confirmed that tens of thousands of their cards had just shown up for sale on the underground cybercrime shop rescator[dot]cc. That same carding shop was also the tip-off for the breach at Target, which came only after Rescator and his band of thieves pushed millions of cards stolen from Target shoppers onto the black market.

Tags: , , , ,

81 comments

  1. Already received my obligatory “whoops sorry” email from Home Despot (yes, that’s on purpose) at 9:52 am this morning.

    I didn’t remember that I had ever had an online account with them. Time to delete that puppy.

    KH

    • How did the Home Cheapo get all those email addresses?

      I had my (Citibank) credit card hacked thanks to them, but I never gave HD my email address.

      Entering your email address in the “Let us email you your receipt.” scam is just like stamping your forehead with a “PLEASE SPAM ME” banner. Are 53 million people that stupid?

      • As I recall their lanes give you the option to get an email receipt. (I’ve always declined).

      • Ya,people do that all the time,BECAUSE the stores use disappearing ink on their receipts! Don’t everr leave pine in the sun light,it will be blank in a week or less!

        My friend does it all the time and it drives me crazy wasting time and holding others up. He already has a copy on his credit card statement. And guess what? His computer just took a dump a couple months ago,and it was less than three months old. I warned him over and over again about security,yet this idiot insisted on using Windows XP Still. He’s the kind of guy that puts everyone in jeopardy,and has hhad is email account hhacked more than once! You would think people would learn from their mistakes,but some never do. Time to make people take a test before they are allowed to drive they internet!

      • “Are 53 million people that stupid?”

        After Tuesday night, do you really have to ask? :/

      • Yes they are. That stupid.

    • A tip — never give a commercial entity your primary email address.

      Keep a separate email address that you use for shopping, and other things that demand email addresses (where the “sender” is not a live person, but an automated process).

      I have several throw-away accounts with free providers that I use for this purpose. That way, whether a merchant decides to opt me in to their bulk-mailings (supposedly as a part of “transactional” mail), or the address gets leaked, the subsequent mail gets sent to a mailbox that I don’t check regularly.

      Even for this comment, the email address I’m specifying is for a throw-away account, and I rarely log into that account to check mail.

      One further step you can do is with services that are explicitly for throw-away addresses, such as trashmail.com or mailinator.com. Details vary some from provider to provider, but the general idea is that if you need an email address, you can enter any email address you want (e.g., send_me_spam@mailinator.com), and that address will accept inbound mail for a few hours, where you can read it. I believe that most of these services are inbox only, and don’t let you send mail. Also, anybody can view any address available, so it’s not appropriate for sensitive content.

      Thus, if you really need a one-time address, give the provider a throw-away address, and if their automatic processes decide to sign you up for their mailing lists, or they leak the address to somebody else, any mail will be sent to somewhere that you’ll never see.

      • I hear you, however, I beg to differ.

        Your strategy ensures you will lose a receipt here, an email there, and have trouble accessing your online accounts.

        Keep one main inbox, and keep it clean (unsubscribe from all marketing material….).

        most spam gets filtered (I use gmail) and you don’t need to worry.
        the 3% that does get through just requires some basic common sense and you’re fine.

        All your tricks won’t help, because someone, somewhere will get your top secret, unused email anyway…

        • You didn’t win $you name it
          You can’t work at home because you have a computer
          You can’t order from aCanadian Pharmacy
          etc.
          etc.

        • I have one account for my personal email, and another for communication from businesses I shop at, etc. That seems to work quite well.

          Having a bunch of different email accounts you hardly ever check seems like a recipe for missing important messages upon occasion.

      • I own a domain name, and use the catch-all feature of my email service to use a different email address that identifies who I provided the email address to. This enables me to know where spam originate from, and all messages appear in my regular inbox with everything else. No need to search dozens of mailboxes.

        If I encounter a company that sold my email address I can easily shut down all email going to that particular email address. It helps keep my inbox pretty clean, and allows me to provide email addresses to companies with out concern that my email address will be abused by spammers.

        This system has worked out pretty well for me as most of the spam that I get now is from places that have my actual email address from before I began doing this several years ago, since there are still places online where my actual email address is listed.

    • whoops sorry, we apologize, click on the attachment to get your coupon

  2. HD has NFC enabled but when I tried to pay using Apple Pay it was declined. Using the plastic card for the exact same account was accepted. Huh ??

    Oh, the EMV-chip slots are STILL not enabled. You HAVE to swipe.

    • I pay with NFC (via Google Wallet) at my local Home Depots in Chicago all the time. There’s probably 3 or 4 different Home Depots that I frequent and never had a single problem with NFC (via Google Wallet) at any of them.

    • I can use ApplePay at my local Home Depot. I’ve heard that some stores and lanes are not configured to accept ApplePay – therefore Home Depot does not appear on Apple’s official Apple Pay partner page.

    • I can tell you that companies are not willing to accept these NFC programs, such as ApplePay and Google Wallet. Why? They are NOT secure methods of transactions and open them to security breaches in a whole new world. The PCI Compliance Security Council will NEVER EVER in the next two years certify these systems as true ways to pay. If at any time your information is breached by using such method, you will never be able to do anything about it. Apple knows this and so does Google and every other company- including the payment systems by the cellular industry. You are better off using your card instead of some NFC device. You are NOT protected.

      • Have you even read anything about Apple Pay? It’s tokenized and all the sensitive card data is kept private and never even given to the terminal. How do you figure this is less secure than handing over every piece of information on your card?

        • It’s still not protected such as a card. If your information is stolen such as from Apple, there is nothing you can do about it. Because Apple is NOT required to meet PCI Compliance on how the data is stored. That is the problem. There is no laws or rules that state how Apple must protect and store your information. Do you really think they have a PCI Certified Data Center to host that information? Hardly. It takes MILLIONS to become a PCI Compliant Data Center and there are NOT that many in the US, let alone in Canada.

          • Yeah because Apple is new to payments and has no idea what they are doing. Apple, the same company who is second only to Amazon (American companies) in volume of unique individuals for whom they have a stored payment card number. Apple has been storing iTunes payment cards for a long time. They are a card carrying Level 1 merchant for PCI purposes and know far more about it than your average merchant or QSA.

            Not that I support or endorse Apple Pay, but giving credit where it’s due, Apple knows what they are doing.

          • Apple doesn’t store your card number – they only store the token which isn’t covered by PCI as far as I can tell from my reading of it. The networks store the token to card number mapping instead of Apple. Also, Apple already had to undergo PCI certification for their pre-Apple Pay acceptance (e.g. their stores, the App Store, etc) which do have real card numbers.

      • Of course PCI won’t certify it, as it isn’t in the business of certifying payment cards. They are, however, compliant with the requirements they must comply with. Google Wallet is a contactless MSD prepaid card provided by Bancorp Bank and sent by host card emulation. Apple Pay is an EMVco Tokenisation Framework compliant EMV payment system.

        • Not true. You need to go become PCI Certified so you know what you are talking about yourself. PCI also states how the card information can be stored and who can store it. ApplePay and Google Wallet do NOT operate PCI Compliant centers and they do NOT have the information stored within those centers. On average there is about 10 data centers in the US that are PCI Compliant and those companies do not use them. Not even StarBucks system is PCI Compliant based upon how information is stored within their app.

          PCI Compliant not only protects the card, but also states how the cards information must be stored. None of this is on those apps for NFC. PCI will tell you that any day of the week. Storage is the key- not the part of processing the transaction.

          • Let’s be careful how we use the terms “compliant” and “certified.” Anyone cane build a “compliant” data center or environment yet not be required to be “certified.” PCI-DSS is an organization that was started by the credit card companies to protect their money. It applies to organizations who accept credit cards, organizations who make software/hardware to accept and transmit credit card data and organizations who process credit card data. Just being compliant, even certified does not make an organization safe. Target was certified, based on what I know, and had a signed ROC (Report on Compliance) as was Home Depot. Turns out that Target, at least, was not really completely compliant, however, they were compliant enough to gain certification. If I sounds like I am going in circles, I am, on purpose… compliance does not equal security, this we all should have learned. Having looked at a larger number of PCI certified organizations in recent years, I can tell you that it is a very true statement.

            Hiding the credit card data and tokenizing it is an excellent practice, it can remove the need for many devices to be considered in scope and personally, I would rather have my credit card data stored in a well encrypted, tokenized environment than have it continually passed between POS, network devices and processors.

            It is really funny to me how people are so myopic that they only look at one aspect of some of these situations, getting caught up in this regulation or that product or some other certification. If we all, including the folks who were breached would step back and look at the bigger picture, apply a host of best practices and came down from the egotistical tower that so many of us security professionals are stuck in, we would all be much better off.. yes, we really do learn more when our mouths (and keyboards) are shut!

            • Kr, I 100% agree with your statement “compliance does not equal security.”

              My research team has the data to prove it, going back 9 years since the ChoicePoint breach.

              The “Security Breaches” matrices hyper linked on the left hand side of this page proves your point https://www.cloudeassurance.com/news/industry-news/

            • I also agree with you both on certification and compliance.

              And tokenisation moves the problem to where the tokens are generated, stored or otherwise aggregated. If the tokens are kept segregated at all times then breaches can limited in scope. Conversely, if all tokens are ultimately generated, stored, aggregated, etc at as a group, then we simply moved the haystack instead of spreading it. Such a system would make for fewer events (we hope), but the fewer events would be of much larger impact. In that regard present efforts are, in my opinion, lacking and even potentially dangerous (think ‘too big to get hacked’ instead of ‘too big to fail’). As with the derivative CMBS mess, we might encourage creating ever larger repositories and, as with the CMBS mess start thing that it can’t possibly fail.

              So the question for token folks to answer is how does the mechanism that generates, aggregates, stores etc. behave when it is itself compromised, hacked, shadowed, etc. Or how does it ‘fail’ without taking down the whole show.

              And that is a similar problem for the big data, cloud folks.

              Ultimately, my present thinking is unless one gives up the advantages of data aggregation (scale) we are simply moving, not spreading the haystacks.

              To bring this back to certification (risk transfer) vs compliance (risk reduction) I will postulate that any time customer data is aggregated we move towards fewer, but larger risk events. Tokenisation is a start, but if the data is aggregated before or afterwards then it may short circuit the benefit, and create an environment for the mother of all data breaches.

              As it stands I don’t think folks are quite ready to accept aggregated data diminishing security as we still think in terms of event likelihood, not scale. And just as going from 1000 small events of 1, to 1 event 1000 times the size moves toward riskier behaviour, tokenisation may give a false sense of security.

              It is going to be up to you info-sec folks to be the grownups in the room for now, because the business folks, like the finance folks who made those low risk CMBS derivatives, can’t seem to control their excitement of acquiring large collections of data.

              Regards and good luck.
              Lee Church

  3. And this is the same organization that demands that you give them your drivers license number to store in their systems if you make a return more than 30 days after a purchase. Hellooooo, Lowes!

    • So you are saying Home Depot has reached new Lowes ?

    • WM requires the same thing. Most retailers do require this so if you have several turns over a very short period they can look into it. Sears Holdings requires the same as it should be. It helps to protect themselves from merchandise theft when the items get returned for $$$$.

  4. ‘Trojan Horse’ Bug Lurking in Vital US Computers Since 2011
    Nov 6, 2014, 2:13 PM ET

    http://abcnews.go.com/US/trojan-horse-bug-lurking-vital-us-computers-2011/story?id=26737476

    A destructive “Trojan Horse” malware program has penetrated the software that runs much of the nation’s critical infrastructure and is poised to cause an economic catastrophe, according to the Department of Homeland Security.

    National Security sources told ABC News there is evidence that the malware was inserted by hackers believed to be sponsored by the Russian government, and is a very serious threat.

    The hacked software is used to control complex industrial operations like oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines and even some nuclear plants. Shutting down or damaging any of these vital public utilities could severely impact hundreds of thousands of Americans.

    Hackers Breach White House’s Unclassified Computer Network
    DHS said in a bulletin that the hacking campaign has been ongoing since 2011, but no attempt has been made to activate the malware to “damage, modify, or otherwise disrupt” the industrial control process. So while U.S. officials recently became aware the penetration, they don’t know where or when it may be unleashed.

    DHS sources told ABC News they think this is no random attack and they fear that the Russians have torn a page from the old, Cold War playbook, and have placed the malware in key U.S. systems as a threat, and/or as a deterrent to a U.S. cyber-attack on Russian systems – mutually assured destruction.

    The hack became known to insiders last week when a DHS alert bulletin was issued by the agency’s Industrial Control Systems Cyber Emergency Response Team to its industry members. The bulletin said the “BlackEnergy” penetration recently had been detected by several companies.

    DHS said “BlackEnergy” is the same malware that was used by a Russian cyber-espionage group dubbed “Sandworm” to target NATO and some energy and telecommunications companies in Europe earlier this year. “Analysis of the technical findings in the two reports shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor,” the DHS bulletin said.

    The hacked software is very advanced. It allows designated workers to control various industrial processes through the computer, an iPad or a smart phone, sources said. The software allows information sharing and collaborative control.

  5. Not sure that going to another retailer fixes this problem until they spend all some money on security.

    Target (hey quit laughing) wanted to swipe my drivers license to buy a bottle of wine. Guess they don’t trust the cashiers to check ID. No thanks. But since that kept me from shopping there, I averted their ‘data loss’ problem. Then they revoked my Target credit card because I hadn’t used it in six months. I’m guessing their next move is to come to my house and slap me up when I open the door.

    • Thanks for my laugh of the day, cfb. I’m a visual learner, and I think I just saw Alex from Target with his hand poised to knock.

    • They are not the only retailer who does it. And you do realize that fake IDs are still made right? You can never fake that strip on the back.

      • Is it possible to get so much misinformation from one person on one thread, I’m sitting laughing at your comments. Of course you can fake the barcode on a driver’s licence. It isn’t encrypted in any way, and the format is published.

  6. I’ve never purchased anythig for HD online and have never given them my email address. Nonetheless, they have it. They bought it from somewhere.

    • If you used a credit card at Home Depot, and if the bank that issued that credit card your email address, that bank might have given the address to Home Depot.

      Many years ago I bought stuff at a Harbor Freight store, going in once a month to buy some small goodies. Eventually the parent corporation began mailing me advertising flyers to my credit card address, which is a Post Office box, but nothing to my home address. As I had not given my email address to the bank I got no emails from Harbor Freight.

      I began getting emails this year because I intentionally gave them my email address. But the credit-card bank still does not have my email address; it’s faster for me to call the number on the back of the card and get information.

  7. I am old enough to remember when we all dreamed of being able to access everything from the WAN. We never dreamed of this… :-( Humans predating themselves – but I guess they always have. (need more coffee!)

    • You might just need to switch to something a bit stronger and more relaxing than coffee as you contemplate how this brave new technological world has evolved to differ from long-gone prognosticators’ positive vibes….

  8. I haven’t spent a dime at Target since their breach. My wife laughs at me because I’m so stern about not shopping there. Got caught up in the Home Depot fiasco, and only been back once out of sheer necessity, although have changed my shopping habit since then to now support local hardware stores.
    Never give anyone my drivers license, that’s sheer stupidity.
    Gonna start using more cash (ugh) where possible. Need to update my phone before I can consider NFC, but thinking about it too.

    • NFC is not secure – read my post above. NFC is just asking for trouble.

      • Why are you spreading nonsense?

        • It’s not non-sense. It’s actually true. Have you looked it up on the PCI Council’s website? NFC is NOT secure. And there are no laws or rules protecting your card information to keep it safe. You should contact the PCI Council and ask them. We are a certified PCI Compliance Inspector and service provider. We have gone and do go into these companies and do the forensic work on finding the malware that has been put into the networks. I can also tell you that many of these companies run risk of being able to ever accept credit cards again.

  9. Again, another third-party breach. A 2014 Vendor Risk Management Benchmark Study concluded actual practice of Vendor Risk Management is relatively immature: the weakest link in the vendor management process is the lack of monitoring and processes for terminating vendor contracts.

    • For anyone interested in reading the 2014 Vendor Risk Management Benchmark Study mentioned above, it can be accessed here: http://sharedassessments.org/2014-benchmark-study/

      Our thanks to our collaborative partner, Protiviti and our Steering Committee member Rocco Grillo, Managing Director and Global Leader for Incident Response and Forensic Investigations, Protiviti for conducting the survey!

  10. Good Guy Krebs – I wish we had as much clarity on other issues facing us “regular folks” (I’m just now reading Cuckoos Egg and Worm.)
    https://www.youtube.com/watch?v=cOkX2KQxkQI

  11. Note that these bad-guy enterprises rely on globalization, and are pretty much directed at that. Little local banks, etc., aren’t targeted so much. Cybercrime could be one of the big factors determining the success/failure of global civilization, right along with the impacts of changing weather patterns, overpopulation, resource depletion, etc. I guess the only way we could possibly compare this is in dollars wasted… but that’s not a great way to compare these things.

  12. Admiral Obvious here: “made off with 53 million customer email addresses.” Thus 53 million reasons to use alternate email addresses, one unique, disposable, email per account.

  13. Interestingly, I don’t see anything about “Improving their Vendor Risk Management Program” in the list of “Cyber Security Enhancements” in the recent statement from Home Depot.

    This would indicate that they are not addressing the root cause of the breach holistically and are just throwing money at the problem by implementing Enhanced Encryption and EMV Chip and PIN Technology, which should really be the last line of defense! Holistic security is about People–>Process–>technology!

    • The problem with people, process, technology is it only addresses part of the issue and assumes the objective is wise.

      You can have the best people, best process and best technology and it won’t beat the security of not storing, processing or handling the equivalent data set.

      In recent months several folks have highlighted the same concept, whether spreading the haystacks (see scientific American article) , or limiting what is stored (see nsa’s admiral rogers comments) scope limiting techniques.

      So I’m all in favour of people , process, technology, but remember it is mathematically impossible to secure something forever. Given any non zero chance, an infinity timeline makes for certainty of an event.

      That being said there is big money to be made on the promise of the cloud, however it’s simply a dislocation of risk, or more crudely, a shell game, using time and probabilities to move the rewards to companies lucky enough to exploit the data, and cash in before the certain event.

      Unfortunately hd gambled, and we all get to pay the price. Whether it’s hassle, costs and time to replace cards, email addresses, or actual undetected fraudulent transactions (there are likely to be some that are not seen by some customers), it all adds up to external parties paying the price for hd to gamble.

      The people, process technology just does not address the perverse incentives for party a to gamble. if they win, party a takes the profit, and if they lose, party b,c, and grandma takes the loss. Which brings me to another issue, or rather missing component of people process and technology; namely there is no ethical component, there is no place for the question of whether what is being done is unfair to an external party, often a party that learns after the fact that a gamble has been placed without their explicit consent. Hd collects emails for receipts online, but then keeps them for other purposes, then loses them.

      So the cloud and big data has issues, but they are far beyond people , process, and technology. The real pathetic thing is hd could not even get those woefully inadequate parts right.

      Thankfully, some, including Admiral Rogers understand the need to limit scale/scope, but for the most part it appears that the only way to address the issue on the private/corporate side is via regulations. To avoid that, the industry would have to go well beyond people, process and technology.

      Anyway, hope I spurred you to give the issue some thought.

      Regards,
      Lee

  14. Addreses -> Addresses.
    (I have to watch my own spelling like a hawk)
    Meanwhile: Always a pleasure Brian! Thanks for being a hero.

  15. TheOreganoRouter.onion..it

    The question real is how many of those fifty three million stolen email addresses are actual working verses being outdated or closed accounts?

  16. Joseph Culbertson

    My debit card was cancelled. New one came. No letter of apology from Home Depot. Called them about a transaction that looked odd.
    I was told that I should have seen a problem back in June when it took place and that there would be a lot more than just the one if there was theft.
    It took three phone calls and finally got a hold of the person handling this as they were leaving and the phone went dead. They called as I was going to the bank. All resolved-but- NEVER buying at Home DePOT again.

  17. Several times we’ve heard of a vendor account being compromised and used to get into a commerce network. I have to wonder why a vendor’s account is any less vulnerable than a full-time employee? And wouldn’t an FTE account be more enticing to the hacker anyway?

    My point is – I once read about Genghis Khan, who upon arriving at the Great Wall of China, found that he could not go around it, could not go over it, and could not tear it down. So what did he do? Simply bribed the gatekeeper and marched his army through.

    Is it time to consider just how ‘loyal’ a paid-by-the hour vendor with keys to the kingdom really is?

    • Asking why break-ins seem to involve a third party vendor is a good question.

      Let’s compare:
      Company A is big, is a big target, and has a real IT department. It has policies that require password rotation and other measures.

      Company B is tiny, it thinks it’s a smaller target, it doesn’t have a real IT department. It shares passwords for accounts where it does work — possibly leaving them on an “internal” wiki or similar for quick access.

      Company A uses dozens of companies like Company B. Which is more likely, an attack that captures a well managed single user credential of an employee at Company A, or a passage shared by all employees of Company B, but which is useful on Company A’s network?

  18. Why not one single mention of Vendor Risk Management in their “Cyber Security Enhancements”?

  19. So,….what do I do about this Brian….?

  20. I Do NOT understand why Chip and Pin Technology did not prevent Canada Home Depot from being breached?

    Home Depot deploys EMV Chip-And-Pin Technology, which uses microchips to support higher security authentication methods and has been available in the company’s Canadian stores since 2011.
    I Do NOT understand, some Canadian Home Depot have not had EMV Chip and Pin Technology The company?
    Home Depot said it will be able to complete the implementation of the encryption technology to its Canadian store by early 2015.
    It is also implementing EMV chip-and-PIN technology for extra layers of protection to the payment cards of customers.
    The technology is already available in its Canadian stores since 2011. The company launched it as a project for its stores in the U.S. in January last year, and it will be completed before the deadline of the payment industry.

    • If you carefully examine the self checkout machines you may note that the emv chip reader device is not prominent, while the swipe is very visible. Now, if consumers swipe, then even if directed to insert into chip teader, the damage is done. Worse if swipe transactions are allowed on chip cards.

      At one Canadian home depot, prior to the announcement of the breach, hd taped payer notes alerting customers to where they could insert the card, it was that poorly rescinded.

      Hope that helps sort out your confusion on how Canadian Chas could be compromised.

      • Should read Poorly designed (not rescinded .. blame the word suggest thing getting a completely erroneous word in there).

        Also mangled was the paper notes. they taped up notes showing where the emv slot was as people were swiping not knowing the auto checkouts had emv readers. This was prior to announced breach.

    • Actually the PCI Council has stated and demands that any retailer wishing to accept debit and credit cards in 2015 MUST deploy this new system. If they do not they will not be permitted to accept credit or debit cards any longer. The slide and pin system is expensive and locked to each technology vendor. Its not easy to change. Change payment gateway providers you must change hardware.

      • So much misinformation coming from you it’s insane. PCI is mostly unrelated to what’s happening next year. Starting October 2015, the four major networks, separately (not as a PCI demand), are implementing a liability shift. You can still accept on non-EMV-enabled terminals, but at your own risk as a merchant. If a transaction was made with a counterfeit card, you don’t get to see the money.

        Separately, at the end of 2015, Interac in Canada (Canada’s debit network) will stop processing magnetic stripe transactions.

        • Actually no true. The banks will be accepting the risk if the merchant doesn’t upgrade. And when merchants refuse to upgrade, and the bank does NOT want the risk, those companies can and will start losing the ability to use credit terminals.

          But if the merchant wishes to be PCI Compliant, they will need to upgrade their networks.

          And telling me I have miss information, are you a PCI Certified Inspector? I doubt it very much.

          • PCI = Payment Card Industry, why would anyone think that these toothless jokers would be protecting anyone but their members?

            They exist to limit their own liability, not for the safety of consumers or their transactions.

            They have no regulatory power, they uphold no laws, they merely rubber stamp systems for stopping the exploits of 10 years ago.

            There is no protection or assurance for the consumer whatsoever.

    • EMV doesn’t prevent breaches, it makes the data obtained nearly useless however (the only place it can be used is a situation where ONLY PAN and expiration date are required, which really shouldn’t ever happen anymore).

  21. All is good as Home Depot just emailed me an apology. Well, I think it was Home Depot anyway….

  22. This evening I received an email containing the infamous words: “… The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. …”

    I have also noted that within the past week or so there has been a recent flurry of rejected emails spoofing my email address as the sender of emails from sites designated as ending in “xxx.RU” and that the majority of these emails were destined for other addresses ending in “xxx.RU”.

    Email addresses I may have that were not associated with the Home Depot firm have seen no such additional notification activity.

  23. As others have said, keep an email account private for your friends and family. Give stores a junk email account that will fill with their spam and others dumping their garbage. I once gave out this account to buy a junky item and its now filed with emails in Chinese! HD and other breaches doesn’t give you confidence this stuff is going to be protected so don’t deserve to be in your primary email account.

  24. reading through the trail here and I have to say optifinetpci wins the prize on most uneducated on Oct and emv basics. wow just wow….. please read up before spouting stupid statements.

    • I gave up on trying to argue with Optfi for that reason, I sure hope no one hires his company! He has no clue and is conflating multiple issues. It’s silly to point this out to him.

  25. Friday was this, Monday Dark Hotel… What’s next?

  26. This is all truly devastating to read about these cyber crimes. I guess we should all start protecting our important files and folders with strong file encryption software like Data Protecto and AxCrypt. The sofware is really reliable as I have tried it myself http://www.dataprotecto.com/

  27. Many news reports state that the Windows patch was already available but HD was slow to deploy. Other reports (this one included) state that the patch was issued post-breach. Can someone provide authoritative confirmation?

    http://www.dailytech.com/Home+Depot+Lost+53+Million+Emails+Blames+Windows+Buys+Execs+New+Macs/article36852.htm

  28. As a PCI-QSA working in this field, it’s just astonishing the shortcuts that companies take and the overall lack of commitment to information security. And guess what, cyber security threats are going to continue to grow in the coming years, so it’s highly essential that companies start securing their entire digital infrastructure, which begins by putting in place information security policies and procedures, provisioning and hardening of such systems, and then undertaking comprehensive security awareness training for employees. Call it the 3-point stance for protecting your organization. The problem is that most companies have (1). Outdated policies (2). Don’t have formalized procedures and checklists for hardening their information systems, and (3) do little or nothing when it comes to security awareness training. This won’t cut it in today’s world, so it’s time to get serious about information security.

  29. Poor security management and specifically Vendor Management by Home Depot. The first vector of attack was actually through a third-party vendor , same as Target like Brian mentioned.
    Proper Vendor management would have required security controls in place in the Vendor’s Network.
    1. If the Vendor had proper security controls in place they might not have prevented the stealing of credentials but there is a high likelihood that the Vendor did not have proper security controls in place
    2. If the Vendor had security controls in place they most likely would have recognized the breach (stealing of account credentials) and reported it. If the Vendor had recognized and reported the breach, Home Depot should have been notified.

    Any IT security professional knows (or should know) that some of the most malicious activity happens on Vendor accounts and Vendor VPN’s into a company. Home Depot should have been actively monitoring these accounts and VPN’s for “suspicious” activity.
    Home Depot is one of the largest Level 1 Merchants taking credit cards today. Home Depot’s inability to discover the breach, their poor vendor management and patch management led to the compromise of 56 million customer credit and debit card accounts. Home Depot has a responsibility to its customers (of which I am one) to take steps to insure that a breach like this does not happen again.

    Dear Craig Menear,
    The IT Security Management of Home Depot should be held personally responsible for the negligence and incompetence involved in the management of customer’s information.
    NOTE : Home Depot did not discover the breach even 5 months after it occurred. Financial Institutions started seeing stolen credit card information and reported the information. The Home Depot IT Security team scored a big fat 0 on discovering the breach.
    The Target data breach was still a very hot security topic when the Home Depot breach occurred and the Target breach was very similar to the Home Depot breach, just how incompetent is the Home Depot IT Security Management team?