Home Depot Says Data From 56 Million Cards Taken in Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://bits.blogs.nytimes.com/2014/09/18/home-depot-says-data-from-56-million-cards-taken-in-breach/?_php=true&_type=blogs&_r=0

 Home Depot said on Thursday that the account information of 56 million
cardholders was compromised in what is the largest known breach of a retail
company’s computer network.

Home Depot said hackers breached the company’s cash register systems in its
United States and Canadian stores in April. The hackers, the company said,
used custom-built malware designed to evade traditional security tools that
had not been previously used in other cyberattacks. The company said it had
since removed infected registers and closed off the hackers’ mode of entry
and that it had been using new encryption systems in its American and
Canadian stores for the past nine months.

Home Depot has been scrambling to investigate the breach since it became
public on Sept. 8. It is unclear how the company missed signs of the attack
after the breach at Target and after the Secret Service and Department of
Homeland Security warned retailers in July that their systems were
potentially compromised.

The company said its encryption project began in January but had not been
completed in its American stores until Sept. 13. It said encryption in its
Canadian stores would not be completed until 2015.

Home Depot’s attack went unnoticed for five months. During that time,
hackers found an entry into the company’s network, crawled to its store
payment systems and installed malware that was engineered to scrape payment
data off the memory in the company’s registers during processing. The
hackers then sent that data back to their servers abroad.

Home Depot said it would offer free identity protection and
credit-monitoring services to any customer who had used a credit or debit
card at any of its affected stores.

“We apologize to our customers for the inconvenience and anxiety this has
caused, and want to reassure them that they will not be liable for
fraudulent charges,” Frank Blake, Home Depot’s chief executive, said in a
statement.

Security experts and law enforcement say that hackers are actively scanning
merchants’ networks for ways to gain remote access to their systems. The
Department of Homeland Security and the Secret Service recently estimated
that more than 1,000 businesses in the United States had been infected with
malware that is programmed to siphon payment card details from cash
registers in stores. They believed that many of these businesses did not
even know they were sharing customers’ credit card information.

Besides Home Depot and Target, among the companies that have been attacked
by hackers are U.P.S., Goodwill, P.F. Chang’s, Sally Beauty, Michael’s and
Neiman Marcus.

The only way to thwart such attacks, security experts say, is for merchants
to migrate to a new chip-based payment standard known as E.M.V., short for
Europay-MasterCard-Visa, the technology’s first backers. The technology
makes it more difficult for criminals to use stolen account information to
make purchases or to use the information to create counterfeit cards.

Home Depot said that the migration to E.M.V. required writing tens of
thousands of lines of new software code and deploying it to 85,000 new PIN
pads in its stores. It said Thursday that E.M.V. already existed in its
Canadian stores but would not be rolled out in its United States stores
until the end of the year. Credit card companies have set an October 2015
deadline for American retailers to upgrade their payment systems.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!