After days of speculation, Home Depot has confirmed it was victimized in a data breach that compromised credit and debit cards at stores throughout the United States and Canada.
According to the company, there is no evidence that anyone who shopped at stores in Mexico or online at Homedepot.com was affected.
News of a possible breach first circulated last week. The full scope of the breach remains under investigation, however the company stated there is no evidence that debit PIN numbers were compromised. Right now, the investigation is focused on April forward, and the retailer is offering free identity protection services to potentially impacted customers.
“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” Home Depot chairman and CEO Frank Blake said in a statement. “We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges.”
The investigation began on the morning of Sept. 2 after the company received reports of a possible breach from its banking partners and law enforcement. Security blogger Brian Krebs, who broke the news of the investigation last week, reported today that a source close to the investigation told him that an analysis of Home Depot’s store registers showed at least some had been infected with a new variant of BlackPOS – a notorious piece of point-of-sale malware. The same family of malware was also linked to the attack on Target last year.
“It is possible that both attacks were caused by the same people,” said Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs. “Often times, when a certain type of malware becomes too well known by the security industry, the creators of the malware will modify the code and use new methods of obfuscation and encryption in order to thwart detection attempts.”
Generally, attackers have been exploiting the points of least resistance, said Nick Levay, CSO at Bit9.
“In a large percentage of these breaches, the weak spot can be blamed on the POS malware protection, since at the end of the day the common theme of many of these breaches is the execution of malware on the critical endpoint to do the dirty work,” he said. “Regardless if the attackers hit the POS during a busy time, during a holiday freeze, or intense policy change like implementing a new standard like PCI [Payment Card Industry Data Security Standard] 3.0, the end result still has to get past the malware protection at the endpoint.”
Home Depot has previously stated it will roll out EMV ‘Chip and PIN’ to all U.S. stores by the end of this year in advance of the October 2015 deadline.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- BreachForums Shut Down Over Law Enforcement Takeover Concerns
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Malware Trends: What’s Old is Still New
- Burnout in Cybersecurity – Can it be Prevented?
- Spain Needs More Transparency Over Pegasus: EU Lawmakers
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Google Suspends Chinese Shopping App Amid Security Concerns
