Data shows Home Depot breach could be largest ever

Home Depot may have earned the dubious distinction of being responsible for the biggest compromise ever involving credit and debit card data.

It looks like US chain Home Depot may have earned the dubious distinction of being responsible for the biggest compromise ever involving credit and debit card data.

Security blogger Brian Krebs, who first reported the data breach Tuesday, updated his report today with new information gathered from the cyber underground. According to Krebs, the data strongly suggests that a breach occurred at nearly all of Home Depot's 2,200 stores in the U.S.

Krebs based his conclusion on a review of stolen credit and debit card data posted on an online store that sells such information. The site lists each card, along with the city, state and ZIP code of the card owner, as well as the store code where the data was stolen.

The data allows crooks that want to buy stolen card data to focus on credit and debit cards that are local to the area in which they operate, Krebs noted.

Crooks can create spoofed cards with the stolen data and use those cards to make fraudulent purchases from retail locations where the card is normally used. The tactic allows thieves to use stolen cards for a longer time without being detected by financial institutions. The same tactic was used with data stolen from Target last year.

"This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder's geographic region (particularly in the wake of a major breach)," Krebs wrote.

Krebs said he obtained a list of compromised cards that four banks have traced back to transactions at Home Depot. He then compared that list with a list of more than 3,000 stolen cards currently available for sale on the online store. The cards that Krebs looked at were obtained from a total of 1,822 ZIP code areas around the country. Only 10 of those ZIP codes did not correspond to Home Depot store locations, he said.

Krebs noted than the card data he reviewed represents only a tiny fraction of the cards that are available for sale through the online store. But it is enough to suggest that those behind the breach have obtained card data from nearly every Home Depot location, he said.

"The banks I spoke with in reporting this story say the data they're looking at suggests that the breach probably started in late April or early May. To put that in perspective, the Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers.

"If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target," Krebs wrote.

Home Depot itself has so far not confirmed a data breach and has only said that it is investigating reports of "unusual activity" involving credit and debit cards used at its stores. It did not respond immediately to a request for comment on Krebs' latest disclosures.

However, in a statement earlier Wednesday, the home improvement giant reassured customers that they would not be liable for any fraudulent charges on their cards if a breach occurred. "The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach," the company said. "If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers."

Several companies have reported data breaches in recent days, including grocery chain Supervalu, UPS Stores Inc. and Dairy Queen.

The breaches have highlighted escalating concerns over a point of sale (PoS) system malware tool dubbed "Backoff" that was used in the massive data heists at Target and others like Neiman Marcus and P.F. Chang's.

According to federal law enforcement authorities, Backoff has infected PoS systems at around 1,000 retailers. Security firm Kaspersky Labs, which conducted its own research of the malware, believes the number could be much higher.

Since news of the potential breach went public Home Depot's shares have fallen by over 3% from US$93.11 at 11.00 ET Tuesday to $90.34 at 2.00 ET today. It is unclear though if that drop is the direct result of the breach news or other factors.

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetintrusionsecurityHome DepotCybercrime & Hacking

More about Home DepotInc.KasperskySupervalu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place