US Home Depot breach could potentially be as big as Target's

In what could turn out to be another huge data breach, Home Depot on Tuesday confirmed that it is investigating a potential compromise of credit card and debit card data belonging to an unspecified number of customers.

In what could turn out to be another huge data breach, Home Depot on Tuesday confirmed that it is investigating a potential compromise of credit card and debit card data belonging to an unspecified number of customers.

Security blogger Brian Krebs , who first reported the breach, today estimated that it could end up being potentially even larger than the one at Target, which compromised data on more than 40 million payment cards.

Several banks have reported that the intrusion at Home Depot occurred in late April or early May and remained undetected until recently, Krebs noted. Indications are that all 2,200 Home Depot stores in the U.S. may be affected.

"If that is accurate -- and if even a majority of Home Depot stores were compromised -- this breach could be many times larger than Target," Krebs wrote.

Paula Drake, a Home Depot spokeswoman, said the company is investigating reports of a potential breach of its networks but provided little details on what might have happened.

"At this point, I can confirm that we're looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," Drake said in an emailed statement. "Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately."

Without further information, it would be inappropriate for the company to speculate on what might have happened, Drake added. "We will provide further information as soon as possible."

The Home Depot incident is the latest in a string of data thefts disclosed by U.S. businesses in recent days.

Others who have made similar announcements over the past few weeks include Supervalu Inc., one of the largest U.S. grocery wholesalers and retailers, UPS Store Inc. and Dairy Queen.

The breach disclosures come amid escalating concerns within the U.S. payment industry of hackers using malware code dubbed Backoff to steal data from point-of-sale (PoS) system networks. The hackers behind the breaches at Target, P.F Changs and Neiman Marcus are believed to have used Backoff to steal data from each company's PoS systems.

The U.S. Department of Homeland Security and the U.S. Secret Service have issued two alerts warning retailers about Backoff and noting that the malware has infected at least 1,000 U.S. businesses. In most cases, hackers were able to deposit the malware on PoS networks after first gaining access to them via remote access applications, the two agencies warned.

The Payment Card Industry Security Standards Council, which oversees the PCI security standard, issued an urgent bulletin in late August urging retailers to review security controls and take additional protective measures, such as end-to-end encryption, to protect against the malware.

Last Friday, security firm Kaspersky Labs warned that Backoff might have infected a lot more systems than generally perceived.

"It is clear that criminals who are targeting the retail industry have tactics, techniques and procedures that most retailers aren't well prepared to stop," said Rob Sadowski, director of technology solutions at RSA, the security division of EMC. "Cyber criminals targeting payment card data are going after the biggest, most lucrative targets because they feel that they can succeed. And this latest breach, if the reports are true, is proving them right once again."

The latest breach appears to have followed the same pattern as previous breaches at Target, Nieman Marcus and P.F. Changs, said Michael Sutton, vice president of security research at security vendor ZScaler.

"These breaches could have largely been avoided had U.S. retailers adopted the 'chip and PIN' technology mandated in debit and credit cards in most industrialized countries," Sutton said. "The technology has not been widely adopted in the U.S. primarily due to lobbying by retailers who were concerned about the cost of implementing the technology."

The fact that many of these breaches are discovered by third parties and not the retailers themselves is especially troubling, Sutton said.

"It is concerning that gigabytes of credit card data can be syphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to," Sutton said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetdata securitysecuritydata protection

More about DrakeHome DepotInc.KasperskyRSASupervalu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place