Home Depot says 56 million payment cards compromised in breach

Home Depot says 56 million payment cards compromised in breach

US retail chain Home Depot says that 56 million payment cards are at risk following a malware-laden cyber-attack on eftpos tills across its stores in the US and Canada.

The investigation into a possible breach began on Tuesday morning, 2 September, immediately after Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.

In a statement, the company says: "Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot's security partners."

The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards, after lurking in the company's eftpos tills for four months between April and September.

Home Depot says that it has since ripped out eftpos tills infected with the rogue virus - which is understood to have compromised the retailer's self-checkout terminals - and has rolled out enhanced encryption of payment data to all US stores.

While the breach has been seen as a further proof-point in the US push to adopt Chip and PIN at the point-of-sale, the fact that the outbreak also hit the home improvement chain's Canadian stores - where the EMV standard has been implemented - leaves pause for thought. Nonetheless, the retailer has committed to installing 85,000 PIN pads at its US outlets, well ahead of the national 2015 deadline.

Home Depot has set aside $65 million to cover the the cost to investigate the data breach, provide credit monitoring services to its customers, increase call centre staffing, and pay legal and professional services. Approximately $27 million of the projected outlay will be covered by the company's insurance.

Home Depot CEO Frank Blake says: "We apologise to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges."

Comments: (9)

Bill Trueman
Bill Trueman - Riskskill.com - London 19 September, 2014, 13:13Be the first to give this comment the thumbs up 0 likes

This has to be one of the worst infiltrations and financial crimes ever. And I mean the one committed by Home Depot, not by the criminals. 

- PCI DSS has been around for a decade and big merchants think that they can use their muscle to delay and avoid implementing solutions.

- Home Depot are the sort of size of organisation that shoudl have led the way into EMV (Chip and Pin) years ago and not left it to others to drive forward.

- Why did they leave it to discover this on 2nd September. It must have been going on for ages, and known about at Home Depot for months. 

- When they saw the Target losses, this shoudl have immediately (at least a year ago) led to action by the people at Home Depot to ensure that they were not exposed.

- Many might say that the company has 'lost the plot', that the executives have either been 'totally incompetent' or focused upon the wrong things - so also incompetent. Which is it? Can you see the incompetence?

- There will be a lot more of these things because others will be doing the same.

- The banks are also culpable too, for having invented EMV 20 years ago and then letting the ENTIRE world excluding the USA implement it to prevent cards that are compromised in this way being used thereafter; with only stupid excuses as to why not to implement in the USA.

Let's be clear 56million compromised cards = at a sale price on the dark-web of $50 each, the theft of customer/bank cards of $2.8 billion. If the average loss on a compromised card is $1,000 - then the consequential losses will be $56Billion.

However all these cards will not be sold-on and used in this way because banks will cancel them an re-issue them at costs far exceeding the costs to Home Depot, and 56 million customers will be inconvenienced at no cost to Home Depot (or their insurers).  

Now can you see the incompetence?

 

A Finextra member
A Finextra member 20 September, 2014, 10:33Be the first to give this comment the thumbs up 0 likes Its interesting to see the consequence of becoming a laggard in security. Fraudsters go for the low hanging fruit and when the world add security you are suddenly that fruit. Some years ago I demonstrated 2 factor authentication for an American banker - a type of solution that has been the standard for online Banking in norhern Europe for a decade. His response was "this is not for my customers", meaning that the users would not accept the burden of having a token in addition to a password. The chip and PIN is also a kind of a burden but it works just fine. Trust me! And of respect for your customers: Stop thinking that americans cannot handle simple security measures.
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 September, 2014, 13:54Be the first to give this comment the thumbs up 0 likes

According to leading US retail analyst RSR Research, Target and Home Depot were both PCI-DSS compliant. 

http://www.rsrresearch.com/2014/09/16/the-endless-data-security-saga-continues/

Considering that both Target and Home Depot breaches happened at the POS, question is, does PCI-DSS cover endpoint security?

A Finextra member
A Finextra member 20 September, 2014, 14:35Be the first to give this comment the thumbs up 0 likes Endpoint security is covered in the standard. The POS terminal must be certified according to the standard. To help software vendors and others develop secure payment applications, the Council maintains the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications. Malware can target these applications as well as any other application. Today payment applications is more or less open once the hacker has injected his malware. The standard should include a requirement to harden the application so it can protect itself.
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 21 September, 2014, 18:24Be the first to give this comment the thumbs up 0 likes

@BjornS: TY for your reply. When I first heard about "self-protecting and self-healing" applications in the aerospace industry, I was amazed. However, I didn't think too highly of the technology when I learned, several years ago, that a mere loose tile had brought down a multibillion dollar space shuttle program. Thanks to Moore’s Law, technology grows by leaps and bounds and things could be very different today. I’m curious to know if there are live examples of such applications in BFSI or any other industry by now. 

A Finextra member
A Finextra member 22 September, 2014, 09:46Be the first to give this comment the thumbs up 0 likes

@Ketharaman: "self healing" is a big promise to make for a piece of software. On the other hand "self protecting" has been successfully used in the bank/finance industry since 1999. With the move to mobile apps we see growing security concerns and more focus on app shielding (or app hardening as som prefer to call it).

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 September, 2014, 11:50Be the first to give this comment the thumbs up 0 likes

@BjornS: TY for your reply. What are some specific examples of "self protecting" apps in BFSI?

A Finextra member
A Finextra member 22 September, 2014, 14:51Be the first to give this comment the thumbs up 0 likes

It started with a downloadable bank application for Windows back in 2009. Mobile payment apps, mobile banking apps, mobile one time code apps are all good examples of solutions in the field.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 September, 2014, 15:33Be the first to give this comment the thumbs up 0 likes

Okay, thanks, @BjornS. 

Visit apc.com

Trending Stories