Home Depot credit card hack - bigger than Target?

News by Steve Gold

All 2,200 Home Depot stores may be affected by the latest credit card hack suggests security researcher Brian Krebs.

Home Depot - the 2,200-strong US store chain - seems to be the latest in a long line of retailers that have been targeted by hackers intent on harvesting customer card credentials.

Details of the hack are still emerging, but according to security researcher Brian Krebs, the case may involve all of the retailer's 2,200 US stores and may be on a larger scale than the now-infamous Target hack of late last year, since when other US retail chains - notably Nieman Marcus and PF Changs - have also been hit.

Krebs also says that a further 280-plus Home Depot stores in Canada, Guam, Mexico and Puerto Rico may be involved.

The Ars Technica newswire quotes a Home Depot spokesperson as saying the chain is looking into some unusual activity and working with its banking partners and law enforcement to investigate.

"Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers," said the company in a prepared statement late yesterday.

As reported by SCMagazineUK last week, the PCI Security Standards Forum warned of the Backoff malware, which has been infecting POS (Point of Sale) systems since last year, but has only recently been detectable by commercial IT security software.

Backoff has also been noted as being used to target more than 1,000 retail firms across the US and around the world, allowing cybercriminals to remotely harvest card credentials and associated PIN numbers.

Krebs, of the KrebsonSecurity newswire, says that batches of card credentials from Home Depot have been seen for sale on so-called carder forums labelled `American Sanctions' and `EU Sanctions,' suggesting that hackers are upset with Western nations over their economic sanctions against Russia.

The researcher said last night that several banks he had contacted "said they believe this breach may extend back to late April or early May 2014."

"If that is accurate - and if even a majority of Home Depot stores were compromised - this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period," he noted.

Rob Cotton, CEO with the NCC Group says that the emerging Home Depot saga appears to be another example of attackers exploiting the soft underbelly of the financial food chain for profit.

"The typical physical controls and defences in a retail outlet - coupled with the transient nature of staff - means the initial attack vector could be in-store, as opposed to the Internet," he said, adding that it is often forgotten that POS devices are simply general purpose PCs - and are therefore subject to similar dangers and vulnerabilities.
The retail sector, he explained, is an industry that relies on compliance driven security, but this is an ineffective model, which won't always achieve the intended goals.

"With the number of high-profile breaches growing rapidly, retailers need to get on the front foot and be proactive about protecting their customers and systems," he said.

It's an epidemic

Ken Westin, a security analyst with Tripwire, said that it is now safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic.

These breaches, he said, are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.

"Organised criminal syndicates are actively targeting US retailers simply because they've become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected," he noted.

Westin went on to say that most of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity.

"They then map the activity back to specific retailers as the common point of origin," he explained.

No surprise

Philip Lieberman, CEO of Lieberman Software, said the Home Depot hack comes as no surprise.

"We were in contact with them many years ago trying to convince them to implement automation technology to rotate their passwords, but they chose to implement a less expensive and inferior solution from an off-shore company. The rest of the targets in the listed article by [Brian] Krebs purchased the same ineffective technology from the same off-shore company with similar results," he said.

Russ Spitler, VP of product strategy with AlienVault, meanwhile, said that hackers are certainly not worried about any potential changes in credit card infrastructures, referring to the planned implementation of smart card features in the US, as seen in Europe and elsewhere over the last decade.

He explained, "We are,seeing a stark reality of the economic incentives the hackers are exploiting.

"Major retail chains are easy targets because they have not invested in cybersecurity. Banks are no longer easy targets, they have fortified themselves and even built protections for their consumers, but point of sale systems originally designed and built years ago are easy places to grab a foothold," he said.

"Hackers are focusing on retailers because 'that is where the money is' - it is the easiest target with the greatest reward. These criminals are doing the cost analysis of the investment they need to make to breach a target and what they are going to get in return," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews