Latest card data heist - may be bigger breach than Target says Brian Krebs
Latest card data heist - may be bigger breach than Target says Brian Krebs

Home Depot - the 2,200-strong US store chain - seems to be the latest in a long line of retailers that have been targeted by hackers intent on harvesting customer card credentials.

Details of the hack are still emerging, but according to security researcher Brian Krebs, the case may involve all of the retailer's 2,200 US stores and may be on a larger scale than the now-infamous Target hack of late last year, since when other US retail chains - notably Nieman Marcus and PF Changs - have also been hit.

Krebs also says that a further 280-plus Home Depot stores in Canada, Guam, Mexico and Puerto Rico may be involved.

The Ars Technica newswire quotes a Home Depot spokesperson as saying the chain is looking into some unusual activity and working with its banking partners and law enforcement to investigate.

"Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers," said the company in a prepared statement late yesterday.

As reported by SCMagazineUK last week, the PCI Security Standards Forum warned of the Backoff malware, which has been infecting POS (Point of Sale) systems since last year, but has only recently been detectable by commercial IT security software.

Backoff has also been noted as being used to target more than 1,000 retail firms across the US and around the world, allowing cybercriminals to remotely harvest card credentials and associated PIN numbers.

Krebs, of the KrebsonSecurity newswire, says that batches of card credentials from Home Depot have been seen for sale on so-called carder forums labelled `American Sanctions' and `EU Sanctions,' suggesting that hackers are upset with Western nations over their economic sanctions against Russia.

The researcher said last night that several banks he had contacted "said they believe this breach may extend back to late April or early May 2014."

"If that is accurate - and if even a majority of Home Depot stores were compromised - this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period," he noted.

Rob Cotton, CEO with the NCC Group says that the emerging Home Depot saga appears to be another example of attackers exploiting the soft underbelly of the financial food chain for profit.

"The typical physical controls and defences in a retail outlet - coupled with the transient nature of staff - means the initial attack vector could be in-store, as opposed to the Internet," he said, adding that it is often forgotten that POS devices are simply general purpose PCs - and are therefore subject to similar dangers and vulnerabilities.
The retail sector, he explained, is an industry that relies on compliance driven security, but this is an ineffective model, which won't always achieve the intended goals.

"With the number of high-profile breaches growing rapidly, retailers need to get on the front foot and be proactive about protecting their customers and systems," he said.