Home Depot Reports Possible Credit Card Breach

By Melissa Campanelli

Just when you thought it was safe to start accepting credit cards again ... Home Depot confirmed yesterday that it’s investigating some “unusual activity” with regards to its customer data.

The news was first reported by Brian Krebs, a well-regarded independent security reporter, in his Sept. 2 blog post. Krebs said that “multiple banks say they're seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground.”

Krebs went on to say that this breach “may extend back to late April or early May 2014. If that's accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”

In the blog post, Paula Drake, a Home Depot spokeswoman, confirmed the investigation.

“Protecting our customers’ information is something we take extremely seriously, and we're aggressively gathering facts at this point while working to protect customers,” Drake said. “If we confirm that a breach has occurred, we will make sure customers are notified immediately.”

This incident comes on the heels of another recent data breach confirmed by P.S. Chang's China Bistro last month. According to an Aug. 4 USA Today article, the chain said a security breach first reported in June may have led to the theft of customer data from credit and debit cards used at 33 of its restaurants. An intruder may have stolen card numbers and possibly names and expiration dates of customers’ credit and debit cards used over the course of about eight months. The chain hasn't determined that any specific cardholders’ data was stolen, however.

These incidents come after a rash of other similar data security breaches over the past year-and-a-half that have affected companies such as Target, Sally Beauty, Michaels, Neiman Marcus, SuperValu, UPS, and others.

Data security experts started weighing in yesterday with their thoughts on the matter.

Daniel Ingevaldson, CTO of Easy Solutions, a security vendor focused on the detection and prevention of electronic fraud, said in a statement that the latest retail breach at Home Depot has turned attention to credit card black markets — i.e., the clearinghouses that sell these stolen cards to the highest bidder. These clearinghouses, however, are becoming less and less of a threat.

“Black market sites used to allow you to 'test' a stolen card, charging a small amount on it before committing to purchase, in order to prove it was a valid card,” Ingevaldson said. “Since the Target breach, banks have improved their detection methods to look for these kinds of charges (as an indication of likely potential new fraud), so these sites no longer offer this service.”

In addition, he said more banks are monitoring the black markets themselves, either on their own or through services, as an early warning system for stolen cards.

Ingevaldson said that he expects “we'll continue to see these large-scale retail breaches continue as a result of wide-open POS devices, combined with the incredible difficulty of discovering a large, sophisticated breach.”

However, banks and retailers are becoming faster to respond to such breaches and are improving their detection methods, “thereby shortening the window of opportunity for these criminals, and reducing the exposure and hassle to consumers,” said Ingevaldson.

Seth Ruden, a senior fraud consultant at payment solutions company ACI Worldwide, said in a statement that the data breach impacting Home Depot “should serve to increase the pressure to migrate to the EMV chip card standard and help to reinforce the need that we have for stepped-up security in payments, especially in the U.S., where we currently lag behind our peers.”

Many security experts agree with Ruden and are rallying around the EMV standard, which requires consumers to use and retailers to accept chip-based smart cards with embedded microprocessor chips that encrypt transaction data differently for each purchase. They hope the EMV standard will replace the dated magnetic stripe technology currently used on major credit and debit cards, which they believe is less secure.

Ruden also offered a few quick tips for retailers to keep in mind to minimize the risk of a data breach taking place at their companies. They include the following:

1. Have good security controls in place. Good controls are both preventative and detective, and should focus on both data at rest and data in motion. Point-to-point encryption is a key technique to defend against this type of attack, covering the business assets with a strong preventative control. Intrusion detection is a strong detection control. When retailers have a controlled environment, much risk can be mitigated.

2. Believe in EMV. EMV is coming, and it's important to recognize how this will change the dynamics of fraud and the nature of chargebacks. It’s not too early for retailers to get on board and be a part of the solution.

3. Remember that security isn't simply a "checkbox.” Many PCI-compliant companies have been hacked, so it’s important to remember that security is best when regarded as a ceiling rather than a floor.

1 2 3 4 5 6 7 8 9 10 11 12 13 All

0 Comments

View Comments

Companies:
Home Depot
Target

Places:
U.S.

Melissa Campanelli Author's page Melissa Campanelli is Editor-in-Chief of Total Retail. She is an industry veteran, having covered all aspects of retail, tech, digital, e-commerce, and marketing over the past 20 years. Melissa is also the co-founder of the Women in Retail Leadership Circle.