After weeks of speculation, The Home Depot Inc. has confirmed that it was the victim of a data breach that led...
to the compromise of approximately 56 million payment cards, topping the 2013 Target Corp. breach to become the largest publicly reported retail payment card breach in history.
In an update released yesterday, the Atlanta-based home improvement retail giant reaffirmed a report made earlier this month that attackers were believed to be present on the company's networks from April to September. Home Depot further clarified that despite the compromise of data involving 56 million credit and debit cards, there is no evidence that PIN numbers or online customers were affected. The company failed to provide details on what data may have been leaked beyond card numbers.
A statement on the Home Depot website reiterated that customers affected by the breach would not be held liable for any fraudulent charges, and that free identity protection services and credit monitoring would be on offer.
"We apologize to our customers for the inconvenience and anxiety this has caused," said Frank Blake, Home Depot chairman and CEO, in the statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
Friday morning some customers received an email summarizing the incident and offering 12 months of free identity protection and credit-monitoring services.
Home Depot breach involved custom POS malware
The Home Depot update did provide further clarification on the malware believed to have been used as part of the breach. FishNet Security Inc. and Symantec Corp., the security firms hired by the company to assist with the breach investigation, believe that the breach was the result of custom-built malware that had not previously been used in other attacks, according to the Home Depot statement, seeming to rule out earlier speculation regarding a connection to the Backoff POS malware campaign that was featured in a recent FBI warning. Home Depot said that any point-of-sale (POS) terminals believed to have been infected by the malware were taken out of service and the malware was fully cleaned from all its systems.
An earlier report from security firm Trend Micro Inc. had previously linked the incident to the BlackPOS malware, said to be behind the Target breach, but Josh Grunzweig, malware reverser at Nuix, said in a blog post that the malware used against Home Depot featured significant differences from BlackPOS.
Tom Kellermann, chief cybersecurity officer for Trend Micro, questioned whether the suspect malware was indeed customized in any significant fashion, or whether it was a savvy move by the company's PR team to describe it as such. Kellermann also questioned a report by security journalist Brian Krebs on his site, which cited sources stating that the Home Depot malware may have only affected self-checkout terminals, which would explain why only 56 million cards were stolen during a months-long time frame.
Home Depot breach 'twice as bad as Target'
Regardless of the malware used against Home Depot, Kellermann said that the incident was a "fiasco" because the home improvement retailer failed to implement any of the major suggestions delivered to all retailers by the FBI after the Target breach, including evolving its incident response plan or segregating its networks with host-based intrusion detection systems.
"Even though the breach happened in the spring, Home Depot still had four months to react, to just implement those five critical things," said Kellermann. "I would say it is twice as bad as Target because they didn't learn the lessons from Target."
Rick Holland, principal analyst at Forrester Research Inc., based in Cambridge, Mass., said that there is still much to be determined about the malware that struck Home Depot based on what has been divulged so far, but the threat to other retailers is clear.
"From the technical and tactical side of things, I think there's a lot to be determined and be released," said Holland. "but these types of incidents are going to continue. … The next Home Depot or Target is out there because they all have a similar level of collective security being low, and PCI clearly isn't solving the problem."
Home Depot builds out POS protections
Aside from details on the incident itself, the Home Depot statement also offered a glimpse of the security improvements the company is making to prevent future breaches.
For one, the company reiterated its plans to roll out EMV chip-and-PIN technology to all U.S.-based stores by the end of this year; the technology is already in place at all its Canadian locations.
Home Depot also said it completed the deployment of an encryption product from encryption vendor Voltage Security Inc. on Sept. 13 that was originally purchased in January. The announcement confirms an earlier report from Bloomberg Businessweek that the company had purchased, but not yet rolled out, technology to encrypt payment data. That same report noted that Symantec had found Home Depot to be running out-of-date malware-detection systems months prior to the breach announcement.
Steven Weil, senior security consultant for consultancy CoalFire Systems Inc., based in Louisville, Colo., said that Voltage Security offers several encryption products that may be of use to Home Depot. Out of those that CoalFire had evaluated, Weil said the products could significantly increase the security of payment card data if implemented correctly -- meaning end-to-end encryption (E2EE) that encrypts data from the time a payment card is swiped until it reaches the bank handling the transaction.
E2EE is important, Weil added, because attackers are increasingly employing memory-scraping malware that targets card data when it is briefly unencrypted on a POS terminal.
"If Home Depot has correctly implemented E2EE (e.g., strong encryption, no access by Home Depot to decryption keys)," said Weil via email, "then their POS system security would be significantly increased.
"Merchants, big and small, are facing very smart, determined attackers who are capable of creating, deploying and managing sophisticated malware," Weil added. "I think it's likely that a not insignificant number of merchants currently have malware running on their POS systems and either haven't detected the malware yet or haven't announced a breach."
For more on POS security weaknesses, read what experts said needed to be improved in the wake of the Target breach.
Also learn about the biggest threats to POS systems.