Home Depot card data breach undetected for four months
Home Depot card data breach undetected for four months

The Home Depot card data breach, first reported by security researcher Brian Krebs at the start of the month, may have been around a lot larger than the infamous Target breach of late last year, with some reports suggesting that as many as 56 million cardholder credentials being heisted from the retailer's 2,200-plus US store chain.

Worse, the Ars Technica newswire said over the weekend that security staff were aware of shortcomings in the retailer's IT security "leading several members of Home Depot's computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer's stores."


As reported previously, the Home Depot breach ostensibly began in April of this year and remained undetected until last month, with the BlackPOS malware being used to exfiltrate data from the retailers network. The New York Times quoted a company spokesperson as saying that the malware would have been difficult to detect with its security scans.

However, according to Ars Technica, "former employees contend that the company relied on out of date antivirus software - a version of Symantec's antivirus purchased in 2007. And the company didn't perform network behaviour monitoring, so they would not have detected unusual network traffic coming from point-of-sale systems." The newswire also cites two former IT staffers with Home Depot as saying that the IT security team was kept from checking various systems handling customer data, as is required under PCI-DSS rules.

Targeting self-checkout terminals

However, scurity researcher Brian Krebs wo broke the story now says that the cyber-criminals were targeting self-checkout Point-of-Sale machines in Home Depot stores, "meaning that the thieves stole far fewer cards during the almost five-month breach than they might have otherwise."

Krebs goes on to say that, so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure, with `only' 1,700 of the chain's 2,200 US stores, and 112 stores in its Canadian operation affected by the card fraud.

Bob Tarzey, an analyst and director with Quocirca, said that it looks like all the usual lessons need to be heeded here with the Home Depot card breach, including keeping all software up to date, using both static and dynamic scanning of code to ensure bespoke systems - and the commercial software they are integrated with - are as vulnerability-free as possible.