Home Depot card data breach undetected for four months

News by Steve Gold

The Home Depot card data breach may have continued for longer than the Target attack late last year, according to new reports.

The Home Depot card data breach, first reported by security researcher Brian Krebs at the start of the month, may have been around a lot larger than the infamous Target breach of late last year, with some reports suggesting that as many as 56 million cardholder credentials being heisted from the retailer's 2,200-plus US store chain.

Worse, the Ars Technica newswire said over the weekend that security staff were aware of shortcomings in the retailer's IT security "leading several members of Home Depot's computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer's stores."


As reported previously, the Home Depot breach ostensibly began in April of this year and remained undetected until last month, with the BlackPOS malware being used to exfiltrate data from the retailers network. The New York Times quoted a company spokesperson as saying that the malware would have been difficult to detect with its security scans.

However, according to Ars Technica, "former employees contend that the company relied on out of date antivirus software - a version of Symantec's antivirus purchased in 2007. And the company didn't perform network behaviour monitoring, so they would not have detected unusual network traffic coming from point-of-sale systems." The newswire also cites two former IT staffers with Home Depot as saying that the IT security team was kept from checking various systems handling customer data, as is required under PCI-DSS rules.

Targeting self-checkout terminals

However, scurity researcher Brian Krebs wo broke the story now says that the cyber-criminals were targeting self-checkout Point-of-Sale machines in Home Depot stores, "meaning that the thieves stole far fewer cards during the almost five-month breach than they might have otherwise."

Krebs goes on to say that, so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure, with `only' 1,700 of the chain's 2,200 US stores, and 112 stores in its Canadian operation affected by the card fraud.

Bob Tarzey, an analyst and director with Quocirca, said that it looks like all the usual lessons need to be heeded here with the Home Depot card breach, including keeping all software up to date, using both static and dynamic scanning of code to ensure bespoke systems - and the commercial software they are integrated with - are as vulnerability-free as possible.

Tarzey went on to say that payment card data is the most sought after - and whilst there is no way to achieve 100 percent security on connect systems, following the basics of the PCI DSS rule set should have left Home Depot more secure and at least have protected it from fines from the payment card brands which may well follow.

Lucas Zaichkowsky, enterprise defence architect with Accessdata, the incident response specialist, said that, during the five month-long attack the cyber-criminals performed reconnaissance, gained user credentials and found access points into the payment network. In this case, he says, the attackers even authored new malware tailored to harvest card data from Home Depot POS terminals where the cards are read.

"This highlights the need for organisations to change the fundamental way they perceive security and incident response. Defending against hacker intrusions requires a very different approach to defending against common viruses and mass malware that merchants are used to dealing with on a daily basis. We already know that alert overload leads to threats being detected, but going un-investigated, leaving attackers free to roam inside the network for weeks, or in this case, five months," he said.

Currently, he added, incident response is a highly manual task.

"Manual incident response results in taking too long to shut down a breach, because finding compromised systems one by one typically takes days or weeks. Because the volume of alerts grows daily, generic, unconnected alerts and manual verification processes add delays, which can prove disastrous when attackers are able to exfiltrate, so much data in a matter of hours. Mean-time to response needs to be measured in minutes and hours, not days and weeks," he explained.

IP address scanning

Sarb Sembhi, a director with Storm Guidance, said that hackers constantly scan for the IP addresses of top 100 firms in most western countries - and in each organisation, he says, this will usually tell them where their systems are vulnerable.

Coupled with the fact that it has taken the US far too long to start moving towards Chip & PIN, he adds, it is clear that each party in a major organisation that accepts payment cards need to play their role in security.

"It's far too easy for middle management to fudge their responsibilities under PCI DSS. The solution may well lie in making your company IT system more secure than the rest, meaning the attackers will look elsewhere," he said, adding that completing the basic processes of security - such as patching and securing - will also assist in making a company's IT resources more secure.

According to Sembhi, who is a leading light in ISACA, the not-for-profit IT security association, if you get the basics right, you can then analyse what is happening on your corporate IT system a lot more easily.

"If you take it as a given that your organisation is going to be subject to an attack, then you can assemble the resources needed to shut the attackers out," he said, adding that this a process that RSA and others call `the kill chain.'


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews