A week after reports erupted of a breach of debit and credit cards at Home Depot, the home improvement retailer confirmed that thieves compromised the payment systems in its stores in Canada and the US.
Details about the extent of the breach, how long it lasted and how many debit and credit cards were affected have not been disclosed. However, it is believed the breach affected all 2,200 stores in the US and initially started four months ago.
Analysts and experts worry the outcome could be worse than last year’s Target breach, when 40 million customer account numbers were compromised and other information of 70 million customers was stolen.
The breach was first reported by KrebsOnSecurity a week ago. The source suggested that Home Depot’s systems were attacked by a variant of the same malware that compromised the systems at Target last year. Target has spent $146 million to solve data-breach issues since Q4 2013, paying most of the expenses for settling potential breach-claims made by payment card networks.
At least some of the store registers at Home Depot were affected with a variation of Kaptoxa or BlackPOS, software created to steal data from debit and credit cards when they are swiped through the register computing units running Microsoft Windows, said Brian Krebs. BlackPOS was discovered at store registers at Target last year.
Here’s what professionals have to say about the breach:
“It doesn’t exactly say a lot of good things about their data security systems if something was able to go on for months and they didn’t notice,”
– Kenneth Dort, partner at intellectual property practice group, Drinker Biddle & Reath LLP.
Krebs said that a source close to the investigation revealed that a few terminals were infected with a variant of theBlackPOS malware, which was seen, in a previous version of course, as the culprit in the Target attack. “Although nobody has said if it was the main culprit in this case or if it was just one of many malware used against HD,” – Malwarebytes head of intelligence Adam Kujawa stated in an email to VentureBeat.
That’s the takeaway from the Target debacle. “Companies need a swift response and to communicate that they are on it and will be relentless in addressing the issue.” – Tim Mescon, analyst and president of Columbus State University.
The response will depend on what was actually lost after the investigation. If it is limited information related to customer payments, the only concern for customers should be a specific credit card compromised. “When you start to lose much more information, that is when we start to worry, but that is unlikely for Home Depot — that complete identity credentials could have been lost. Your identity is a combination of ingredients. The more complete picture of you they get, the more danger you are in and the more vulnerable.” The thieves “have just a fraction.” – Scott Mitic, senior VP of Equifax.
What’s next for Home Depot?
Home Depot has promised free identity-protection services to any breach-affected customers, including credit card monitoring. The home improvement retailer also said earlier it will start rolling out PIN-and- chip-enabled cards by the end of the year at all its US stores.
The retailer said its internal IT security team is working with security firms and banking partners, as well as the US Secret Service to collect facts in the investigation. Once the investigation completes, the team will report its findings to the company’s main office, the payment processors, the card brands and all the affected banks and parties.
Home Depot’s strategy indicates the company is trying to do its best to find out the depth of the breach and compensate potentially affected customers. Getting that right is critical to the company’s reputation and profitability because customers have demonstrated that they will abandon a chain that doesn’t take their security and identity seriously.
The breach shows criminals have realized large retailers are easy to breach and there’s a huge profit to be made. Retailers like Home Depot and Target will have to be relentless in detecting and addressing such breaches with cyber intelligence moving forward.