Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
News
See Security headlines »

Channels

Retail banking Security Payments

Keywords

Eftpos
Home Depot says 56 million payment cards compromised in breach

Home Depot says 56 million payment cards compromised in breach

US retail chain Home Depot says that 56 million payment cards are at risk following a malware-laden cyber-attack on eftpos tills across its stores in the US and Canada.

The investigation into a possible breach began on Tuesday morning, 2 September, immediately after Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.

In a statement, the company says: "Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot's security partners."

The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards, after lurking in the company's eftpos tills for four months between April and September.

Home Depot says that it has since ripped out eftpos tills infected with the rogue virus - which is understood to have compromised the retailer's self-checkout terminals - and has rolled out enhanced encryption of payment data to all US stores.

While the breach has been seen as a further proof-point in the US push to adopt Chip and PIN at the point-of-sale, the fact that the outbreak also hit the home improvement chain's Canadian stores - where the EMV standard has been implemented - leaves pause for thought. Nonetheless, the retailer has committed to installing 85,000 PIN pads at its US outlets, well ahead of the national 2015 deadline.

Home Depot has set aside $65 million to cover the the cost to investigate the data breach, provide credit monitoring services to its customers, increase call centre staffing, and pay legal and professional services. Approximately $27 million of the projected outlay will be covered by the company's insurance.

Home Depot CEO Frank Blake says: "We apologise to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges."

Channels

Retail banking Security Payments

Keywords

Eftpos

Sponsored: Join us at Money20/20 Europe 2024 - 4-6 June, Amsterdam | Use code FEX200 to save €200 on your ticket

Comments: (9)

Bill Trueman
Bill Trueman - Riskskill.com - London 19 September, 2014, 13:13Be the first to give this comment the thumbs up 0 likes

This has to be one of the worst infiltrations and financial crimes ever. And I mean the one committed by Home Depot, not by the criminals. 

- PCI DSS has been around for a decade and big merchants think that they can use their muscle to delay and avoid implementing solutions.

- Home Depot are the sort of size of organisation that shoudl have led the way into EMV (Chip and Pin) years ago and not left it to others to drive forward.

- Why did they leave it to discover this on 2nd September. It must have been going on for ages, and known about at Home Depot for months. 

- When they saw the Target losses, this shoudl have immediately (at least a year ago) led to action by the people at Home Depot to ensure that they were not exposed.

- Many might say that the company has 'lost the plot', that the executives have either been 'totally incompetent' or focused upon the wrong things - so also incompetent. Which is it? Can you see the incompetence?

- There will be a lot more of these things because others will be doing the same.

- The banks are also culpable too, for having invented EMV 20 years ago and then letting the ENTIRE world excluding the USA implement it to prevent cards that are compromised in this way being used thereafter; with only stupid excuses as to why not to implement in the USA.

Let's be clear 56million compromised cards = at a sale price on the dark-web of $50 each, the theft of customer/bank cards of $2.8 billion. If the average loss on a compromised card is $1,000 - then the consequential losses will be $56Billion.

However all these cards will not be sold-on and used in this way because banks will cancel them an re-issue them at costs far exceeding the costs to Home Depot, and 56 million customers will be inconvenienced at no cost to Home Depot (or their insurers).  

Now can you see the incompetence?

 

Report abuse
A Finextra member
A Finextra member 20 September, 2014, 10:33Be the first to give this comment the thumbs up 0 likes Its interesting to see the consequence of becoming a laggard in security. Fraudsters go for the low hanging fruit and when the world add security you are suddenly that fruit. Some years ago I demonstrated 2 factor authentication for an American banker - a type of solution that has been the standard for online Banking in norhern Europe for a decade. His response was "this is not for my customers", meaning that the users would not accept the burden of having a token in addition to a password. The chip and PIN is also a kind of a burden but it works just fine. Trust me! And of respect for your customers: Stop thinking that americans cannot handle simple security measures.
Report abuse
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 September, 2014, 13:54Be the first to give this comment the thumbs up 0 likes

According to leading US retail analyst RSR Research, Target and Home Depot were both PCI-DSS compliant. 

http://www.rsrresearch.com/2014/09/16/the-endless-data-security-saga-continues/

Considering that both Target and Home Depot breaches happened at the POS, question is, does PCI-DSS cover endpoint security?

Report abuse
A Finextra member
A Finextra member 20 September, 2014, 14:35Be the first to give this comment the thumbs up 0 likes Endpoint security is covered in the standard. The POS terminal must be certified according to the standard. To help software vendors and others develop secure payment applications, the Council maintains the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications. Malware can target these applications as well as any other application. Today payment applications is more or less open once the hacker has injected his malware. The standard should include a requirement to harden the application so it can protect itself.
Report abuse
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 21 September, 2014, 18:24Be the first to give this comment the thumbs up 0 likes

@BjornS: TY for your reply. When I first heard about "self-protecting and self-healing" applications in the aerospace industry, I was amazed. However, I didn't think too highly of the technology when I learned, several years ago, that a mere loose tile had brought down a multibillion dollar space shuttle program. Thanks to Moore’s Law, technology grows by leaps and bounds and things could be very different today. I’m curious to know if there are live examples of such applications in BFSI or any other industry by now. 

Report abuse
A Finextra member
A Finextra member 22 September, 2014, 09:46Be the first to give this comment the thumbs up 0 likes

@Ketharaman: "self healing" is a big promise to make for a piece of software. On the other hand "self protecting" has been successfully used in the bank/finance industry since 1999. With the move to mobile apps we see growing security concerns and more focus on app shielding (or app hardening as som prefer to call it).

Report abuse
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 September, 2014, 11:50Be the first to give this comment the thumbs up 0 likes

@BjornS: TY for your reply. What are some specific examples of "self protecting" apps in BFSI?

Report abuse
A Finextra member
A Finextra member 22 September, 2014, 14:51Be the first to give this comment the thumbs up 0 likes

It started with a downloadable bank application for Windows back in 2009. Mobile payment apps, mobile banking apps, mobile one time code apps are all good examples of solutions in the field.

Report abuse
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 September, 2014, 15:33Be the first to give this comment the thumbs up 0 likes

Okay, thanks, @BjornS. 

Report abuse
Join the discussion

Write a blog post about this story (membership required)

[Upcoming Webinar] Instant Payments and their impact on the fraud landscape[Upcoming Webinar] Instant Payments and their impact on the fraud landscape

Trending

Related News
Home Depot confirms data breach

Home Depot confirms data breach

Home Depot investigating suspected data breach

Home Depot investigating suspected data breach

US migration to EMV gathers momentum

13 Aug 2014

US banks going full-tilt for EMV in wake of Target breach

26 Jun 2014

Visa and MasterCard launch cross-industry effort to push US adoption of EMV

07 Mar 2014

PayOne files patent suit against Home Depot over use of PayPal POS tech

06 Mar 2013

Business case for US migration to EMV called into question

15 Feb 2013

Trending

  1. UK government announces open finance task force

  2. Canada's real-time payment system won't launch before 2026

  3. Temenos rejects Hindenburg claims after probe completed

  4. Blair Institute sets out 'progressive vision' for fintech

  5. Revolut valuation raised 45% by investor

Research
See all reports »
The Future of UK Fintech - 2015-2035

The Future of UK Fintech - 2015-2035

Definitive Differentiators - Forging a future-proof payments model

Definitive Differentiators - Forging a future-proof payments model

APP Fraud Liability: A Guide for Banks

APP Fraud Liability: A Guide for Banks