Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Home Depot Confirms Payment Card Data Breach

Home Depot Confirming Data Breach

After days of speculation, Home Depot has confirmed it was victimized in a data breach that compromised credit and debit cards at stores throughout the United States and Canada.

Home Depot Confirming Data Breach

After days of speculation, Home Depot has confirmed it was victimized in a data breach that compromised credit and debit cards at stores throughout the United States and Canada.

According to the company, there is no evidence that anyone who shopped at stores in Mexico or online at Homedepot.com was affected.

News of a possible breach first circulated last week. The full scope of the breach remains under investigation, however the company stated there is no evidence that debit PIN numbers were compromised. Right now, the investigation is focused on April forward, and the retailer is offering free identity protection services to potentially impacted customers.

“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” Home Depot chairman and CEO Frank Blake said in a statement. “We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges.”

The investigation began on the morning of Sept. 2 after the company received reports of a possible breach from its banking partners and law enforcement. Security blogger Brian Krebs, who broke the news of the investigation last week, reported today that a source close to the investigation told him that an analysis of Home Depot’s store registers showed at least some had been infected with a new variant of BlackPOS – a notorious piece of point-of-sale malware. The same family of malware was also linked to the attack on Target last year.

“It is possible that both attacks were caused by the same people,” said Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs. “Often times, when a certain type of malware becomes too well known by the security industry, the creators of the malware will modify the code and use new methods of obfuscation and encryption in order to thwart detection attempts.”

Generally, attackers have been exploiting the points of least resistance, said Nick Levay, CSO at Bit9.

“In a large percentage of these breaches, the weak spot can be blamed on the POS malware protection, since at the end of the day the common theme of many of these breaches is the execution of malware on the critical endpoint to do the dirty work,” he said. “Regardless if the attackers hit the POS during a busy time, during a holiday freeze, or intense policy change like implementing a new standard like PCI [Payment Card Industry Data Security Standard] 3.0, the end result still has to get past the malware protection at the endpoint.”

Home Depot has previously stated it will roll out EMV ‘Chip and PIN’ to all U.S. stores by the end of this year in advance of the October 2015 deadline.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.