New evidence suggests that the apparent data breach at home improvement retail giant Home Depot may have affected customers across nearly all U.S. locations over the course of several months, potentially dwarfing the massive Target data breach in 2013.
According to investigative security journalist Brian Krebs, an analysis of more than 3,000 payment cards available on rescator.cc -- the online shop that sold cards gathered from breaches at Target, P.F. Chang's and others -- shows a 99.4% overlap between the ZIP codes of the cards and Home Depot U.S. locations. Krebs said on his site that only 10 ZIP codes attached to the cards available on Rescator don't match Home Depot stores.
Nicholas Weaver, a researcher at UC Berkeley's International Computer Science Institute, told Krebs that the overlap between ZIP codes and available cards meant that Home Depot is likely the source, though the Atlanta-based Fortune 500 retail chain has yet to confirm that a data breach did in fact occur. A statement on the company's website said that it is "looking into some unusual activity," and spokesperson Paula Drake has also elaborated in press conferences that the company has hired security firms Symantec Corp. and FishNet Security to help investigate the breach.
"Our forensics and security teams have been working around the clock," Drake said in a media statement. "In the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges."
Krebs, who first broke the news regarding a possible Home Depot data breach on Tuesday, previously noted that several sources at financial institutions indicated that the incident may have begun in late April or early May, potentially giving attackers an approximate four month window in which to steal data from 2,200 U.S.-based stores.
In comparison, the Target breach that resulted in the compromise of some 40 million payment cards reportedly only occurred during a three-week period last year and affected just under 1,800 stores. That breach played a role in a string of bad financials results for the company, including $146 million in breach-related expenses outside of insurance coverage, and culminated in the ousting of Target CEO Gregg Steinhafel and other long-time executives. Stifel Nicolaus analyst David Schick told The Wall Street Journal that a Target-esque breach at Home Depot could cost the home improvement retailer seven cents a share this year.
Details on how exactly attackers may have infiltrated Home Depot's network are scant at this point. Krebs indicated that the attackers behind the incident may be the same group of Russian and Ukrainian hackers linked to the breaches at Target, Sally Beauty, P.F. Chang's and a string of other retailers. If that is the case, Home Depot may be among the more than 1,000 U.S. businesses that the U.S. government recently warned had been victimized by the Backoff point-of-sale malware campaign.
In the wake of its massive data breach, Target hired a CISO to oversee its security operations. With security playing an increasingly prominent role in the wellbeing of a business, is there any reason CISOs shouldn't be the norm?