Home Depot said on Thursday a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014.
While security reporter Brian Krebs originally reported that Home Depot’s payment systems had been hit by a variant of the BlackPOS malware, Home Depot said that according to its security partners, the malware used in the attack had not been seen previously in other attacks.
“Criminals used unique, custom-built malware to evade detection,” the company said in a statement.
Home Depot did not provide additional details on the malware used against its Point of Sale (PoS) system, many new forms of malware designed to target PoS systems have emerged recently.
According to Trend Micro, six new pieces of point-of-sale malware have been identified so far in 2014. Four of these six variants were discovered between June and August: Backoff, BlackPOS version 2, BrutPoS and Soraya.
The company said that it was first made aware of a potential breach of its payment processing systems on Sept. 2 after being notified by law enforcement.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the statement continued.
The home improvement retail giant also that it has completed a “major payment security project” that provides enhanced encryption of payment card data at point of sale in its U.S. stores.
According to Home Depot, the security improvements required writing tens of thousands of lines of new software code and deploying nearly 85,000 new pin pads to its stores.
EMV “Chip and PIN” technology, which the company began rolling out in early 2013 and already exists in Canadian stores, will be deployed to all U.S. stores by the end of the year, ahead of a 2015 deadline established by the payments industry, Home Depot said.
Home Depot said that its new encryption technology was provided by Voltage Security, Inc.
As one of the largest data breaches on record, the incident follows the massive data breach that affected Target in December, when hackers accessed payment card data for roughly 40 million customers along with personal information for 70 million other consumers.
Free identity protection services is also being offered to any customer who used a payment card at any Home Depot store from April 2014 on.
“This is why big box retailers are great targets for sophisticated, well-resourced cybercriminals,” Trey Ford, Global Security Strategist at Rapid7, told SecurityWeek. “They are able to invest time in researching their targets to find a way into the network. Once they’re in, they stay quiet and fly unobserved under the radar, potentially for months at a time.”
“56 million cards may not be as big as the huge Heartland Payment Systems breach, but it eclipses both the TJX and Target breaches, and that’s going to cost Home Depot a lot of money,” Ford said. “We can expect other large global retailers, such as Wal-Mart, Carrefour, Tesco and Metro AG, will be paying close attention as the investigation continues.”
“Credit card data breaches are not slowing down any time soon, and cybercriminals have different techniques to target all industries,” said Jon Clay, Senior Manager of Global Threat Communications at Trend Micro. “However, our research has revealed that a high majority of PoS RAM scrapers affect the retail industry since these businesses have high credit card transaction volumes. Therefore, it is imperative, now more than ever, that retailers must be on the lookout for these types of data breaches and put preventative measure in place to verify the authenticity of all transactions.”
Home Depot operates 2,265 retail stores in the US, Canada and Mexico and had annual sales of $78.8 billion in 2013.
US-based businesses have been the biggest targets of PoS malware. According to a recent report from Trend Micro, roughly 74 percent of PoS malware detections between April and June have been in the U.S. The Philippines and Japan were second and third on the list at 4.62 percent and 4.41 percent, respectively. The retail industry was the hardest hit, accounting for 67.51 percent of PoS malware detections.
