BreachExchange mailing list archives
Home Depot Says Data From 56 Million Cards Taken in Breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 18 Sep 2014 17:37:51 -0600
http://bits.blogs.nytimes.com/2014/09/18/home-depot-says-data-from-56-million-cards-taken-in-breach/?_php=true&_type=blogs&_r=0 Home Depot said on Thursday that the account information of 56 million cardholders was compromised in what is the largest known breach of a retail company’s computer network. Home Depot said hackers breached the company’s cash register systems in its United States and Canadian stores in April. The hackers, the company said, used custom-built malware designed to evade traditional security tools that had not been previously used in other cyberattacks. The company said it had since removed infected registers and closed off the hackers’ mode of entry and that it had been using new encryption systems in its American and Canadian stores for the past nine months. Home Depot has been scrambling to investigate the breach since it became public on Sept. 8. It is unclear how the company missed signs of the attack after the breach at Target and after the Secret Service and Department of Homeland Security warned retailers in July that their systems were potentially compromised. The company said its encryption project began in January but had not been completed in its American stores until Sept. 13. It said encryption in its Canadian stores would not be completed until 2015. Home Depot’s attack went unnoticed for five months. During that time, hackers found an entry into the company’s network, crawled to its store payment systems and installed malware that was engineered to scrape payment data off the memory in the company’s registers during processing. The hackers then sent that data back to their servers abroad. Home Depot said it would offer free identity protection and credit-monitoring services to any customer who had used a credit or debit card at any of its affected stores. “We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” Frank Blake, Home Depot’s chief executive, said in a statement. Security experts and law enforcement say that hackers are actively scanning merchants’ networks for ways to gain remote access to their systems. The Department of Homeland Security and the Secret Service recently estimated that more than 1,000 businesses in the United States had been infected with malware that is programmed to siphon payment card details from cash registers in stores. They believed that many of these businesses did not even know they were sharing customers’ credit card information. Besides Home Depot and Target, among the companies that have been attacked by hackers are U.P.S., Goodwill, P.F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus. The only way to thwart such attacks, security experts say, is for merchants to migrate to a new chip-based payment standard known as E.M.V., short for Europay-MasterCard-Visa, the technology’s first backers. The technology makes it more difficult for criminals to use stolen account information to make purchases or to use the information to create counterfeit cards. Home Depot said that the migration to E.M.V. required writing tens of thousands of lines of new software code and deploying it to 85,000 new PIN pads in its stores. It said Thursday that E.M.V. already existed in its Canadian stores but would not be rolled out in its United States stores until the end of the year. Credit card companies have set an October 2015 deadline for American retailers to upgrade their payment systems.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Home Depot Says Data From 56 Million Cards Taken in Breach Audrey McNeil (Sep 25)