After days of speculation, Home Depot has confirmed it was victimized in a data breach that compromised credit and debit cards at stores throughout the United States and Canada.
According to the company, there is no evidence that anyone who shopped at stores in Mexico or online at Homedepot.com was affected.
News of a possible breach first circulated last week. The full scope of the breach remains under investigation, however the company stated there is no evidence that debit PIN numbers were compromised. Right now, the investigation is focused on April forward, and the retailer is offering free identity protection services to potentially impacted customers.
“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” Home Depot chairman and CEO Frank Blake said in a statement. “We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges.”
The investigation began on the morning of Sept. 2 after the company received reports of a possible breach from its banking partners and law enforcement. Security blogger Brian Krebs, who broke the news of the investigation last week, reported today that a source close to the investigation told him that an analysis of Home Depot’s store registers showed at least some had been infected with a new variant of BlackPOS – a notorious piece of point-of-sale malware. The same family of malware was also linked to the attack on Target last year.
“It is possible that both attacks were caused by the same people,” said Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs. “Often times, when a certain type of malware becomes too well known by the security industry, the creators of the malware will modify the code and use new methods of obfuscation and encryption in order to thwart detection attempts.”
Generally, attackers have been exploiting the points of least resistance, said Nick Levay, CSO at Bit9.
“In a large percentage of these breaches, the weak spot can be blamed on the POS malware protection, since at the end of the day the common theme of many of these breaches is the execution of malware on the critical endpoint to do the dirty work,” he said. “Regardless if the attackers hit the POS during a busy time, during a holiday freeze, or intense policy change like implementing a new standard like PCI [Payment Card Industry Data Security Standard] 3.0, the end result still has to get past the malware protection at the endpoint.”
Home Depot has previously stated it will roll out EMV ‘Chip and PIN’ to all U.S. stores by the end of this year in advance of the October 2015 deadline.