Cybercrime

Home Depot Gives 56 Million Customers a Heads Up

Home Depot has uttered the warning to its customers that every retailer must dread: Carefully check your credit card transactions. The theft of payment data that lasted for at least five months may have affected up to 56 million customers, making the Home Depot breach potentially worse than the one that devastated Target last year. Company officials are now scrambling to control the damage.

Home Depot on Thursday said it had excised the malware demon from its computerized payment system after its recent discovery of a security breach in which thieves stole records of 56 million credit cards.

Home Depot stopped short of admitting that an ongoing security upgrade may have contributed to the breach. Efforts to harden the system with enhanced encryption and new technology will not be completed in some areas until early next year.

Cybercriminals used a custom-built malware attack to evade detection for at least five months — from April to September — the company said.

The malware had not been seen in other attacks, according to Home Depot’s security partners.

The hackers’ method of entry is now closed, the company emphasized. Any terminals identified with the malware were taken out of service, and security enhancements were put in place.

“Customers should carefully monitor their statements and take advantage of the free ID protection and credit monitoring we are offering,” Paula Drake, a Home Depot spokesperson, told the E-Commerce Times.

Still at Risk

Despite the measures taken, Home Depot and its customers could face future consequences from the breach. There is no evidence that debit card PINs were compromised, or that the breach impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.

“We don’t know if email addresses have been stolen, said Stu Sjouwerman, CEO of KnowBe4. “Probably not. So consumers are probably just dealing with the standard compromised credit card accounts.”

This malware attack was a very specific software vulnerability. Once it is plugged, you are OK, he told the E-Commerce Times.

“You are not going to find that particular problem coming back,” Sjouwerman said, but “that does not mean there will not be other problems Home Depot will run into.”

For instance, if hackers did obtain debit card PINs, they could wipe out customers’ banking accounts, he warned.

Watch and Wait

Home depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store from April 2014. Customers who wish to take advantage of this service can learn more at www.homedepot.com or by calling 1-800-HOMEDEPOT (800-466-3337). Customers in Canada can call 800-668-2266.

“We’ll continue to focus on the customer and take care of them through this process. We’ve had that commitment from day one, and it is our clear focus,” said Drake.

In addition to using the credit-monitoring services the company is offering affected customers, Home Depot shoppers should be very careful to check for bogus charges placed on their credit cards, suggested Sjouwerman.

They also should be aware of new credit card accounts being applied for in their name.

“Those are the two main things you find with identity theft,” he said.

Missing Encryption

Home Depot’s new payment security protection locks down payment data through enhanced encryption. It takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.

The new technology, which comes from Voltage Security, has been tested and validated by two independent IT security firms, Home Depot said. The encryption project was launched in January.

However, the rollout was not completed in all U.S. stores until last weekend. The rollout to Canadian stores won’t be completed until early 2015.

Home Depot did not encrypt all of the transaction data, said Sjouwerman. Encryption has to be applied within the machine and while being transmitted within the payment network. “The credit card information that got stolen was not encrypted at the moment it was in system memory.”

Jack M. Germain has been writing about computer technology since the early days of the Apple II and the PC. He still has his original IBM PC-Jr and a few other legacy DOS and Windows boxes. He left shareware programs behind for the open source world of the Linux desktop. He runs several versions of Windows and Linux OSes and often cannot decide whether to grab his tablet, netbook or Android smartphone instead of using his desktop or laptop gear. You can connect with him onGoogle+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybercrime

E-Commerce Times Channels