Home Depot Data Breach Could Be the Largest Yet
by Nicole Perlroth, The New York Times
Home Depot confirmed on Monday that hackers had broken into its in-store payments systems, in what could be the largest known breach of a retail company’s computer network.
The retailer said the exact number of customers affected was still not clear. But a person briefed on the investigation said the total number of credit card numbers stolen at Home Depot could top 60 million. By comparison, the breach last year at Target, the largest known attack to date, affected 40 million cardholders.
The breach may have affected any customer at Home Depot stores in the United States and Canada from April to early last week, said Paula Drake, a company spokeswoman. Customers at Home Depot’s Mexico stores were not affected, nor were online shoppers at HomeDepot.com. Personal identification numbers for debit cards were not taken, she said.
Home Depot has not yet confirmed other details.
The retailer operates 1,977 stores in the United States and 180 in Canada. That is about 400 more than Target had when it was compromised. Target’s breach went on for three weeks before the company learned about it, while the attack at Home Depot went unnoticed for as long as five months.
“Honestly, Home Depot is in trouble here,” said Eric W. Cowperthwaite, vice president of Core Security, an Internet-security consulting company. Mr. Cowperthwaite noted that it was a security blogger, Brian Krebs, not the company, that first reported the breach.
“This is not how you handle a significant security breach, nor will it provide any sort of confidence that Home Depot can solve the problem going forward,” Mr. Cowperthwaite said.
Last week, before Home Depot confirmed the attack, customers in Georgia had already filed a class-action lawsuit against the retailer for failing to protect customers from fraud and not alerting them to the breach in a timely manner.
Home Depot said it would offer free identity protection and credit-monitoring services to any customer who had used a credit or debit card at any of its affected stores.
Since the breach at Home Depot first came to executives’ attention last Tuesday, the company said it had been working with two security companies, Symantec and FishNet Security, to investigate.
Home Depot is unlikely to be the last big retailer to suffer a breach of its cash register systems. Hackers have for some time been scanning merchants’ networks for ways to gain remote access, such as through outside contractors who have access to a computer network. Once they find that opening, they install so-called malware that is undetectable by antivirus products.
The Department of Homeland Security and the Secret Service recently estimated that more than 1,000 businesses in the United States had been infected with malware that is programmed to siphon payment card details from cash registers in stores. They believed that many of these businesses did not even know they were sharing customers’ credit card information.
Besides Home Depot and Target, among the companies that have been hacked are U.P.S., Goodwill, P. F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus.
Security experts believe that the same group of criminals in Eastern Europe is behind the attacks, according to several people briefed on the results of forensics investigations who were not allowed to speak publicly because of nondisclosure agreements. Buried in the malware used in the Home Depot attack were links to websites that reference the United States role in the conflict in Ukraine.
In each case, the entry point has differed, according to one law enforcement official. At Target, it was thought to be a Pennsylvania company that provided heating, air conditioning and refrigeration services to the retailer. The entry points for the other businesses are still unknown.
Studies have found that retailers, in particular, are unprepared for such attacks. A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to quickly detect database attacks.
Only one-third of those experts said they did the kind of continuous monitoring needed to identify irregular activity in their databases, and 22 percent acknowledged that they did not scan at all.
After Home Depot confirmed the breach on Monday, a retail lobbying group in Washington said it was time the industry worked together to combat such threats.
“Any organization connected to the debit and credit card ecosystem faces constant and evolving threats,” said Sandy Kennedy, president of the Retail Industry Leaders Association. “The public and private sector must continue to work together to improve debit and credit card security, identify threats and share information to best defend against cyberattacks.”