Swatting comes to the UK as Mumsnet founder receives visit from armed boys in blue

If you thought SWATting – a situation in which armed law enforcement officers such as those in American Special Weapons And Tactics teams – are drawn to an unsuspecting victim’s address by a hoax call was a US thing, reserved for only the most well-known celebrities within the infosec profession, think again.

You don’t need to be Brian Krebs to find yourself on the wrong end of a gun.

Nor do you need to be living in the US it seems.

Mumsnet

In a double-whammy reminiscent of Krebs’ experience, Justine Roberts found her hugely popular Mumsnet site knocked off line at around the same time armed officers from the Metropolitan police paid her UK address a visit.

In the first incident, Roberts saw her 7.7 million member site crippled by a DDoS attack reportedly launched by whoever hides behind the now-suspended @DadSecurity Twitter account (if he or she thinks they can’t be caught because they are a hacker, they ought to think again).

In the second, Roberts herself received an unexpected call after someone dialled 999 and said a gunman had been spotted near her home.

Not content with attacks against both Mumsnet and its founder, the alleged attacker then went after another member.

In an email sent to members of the site, Roberts explained:

An armed response team turned up at my house last week in the middle of the night, after reports of an armed man prowling around.

A Mumsnet user who engaged with @DadSecurity on Twitter was warned to ‘prepare to be swatted by the best’ in a tweet that included a picture of a swat team, after which police arrived at her house in the middle of the night following a report of gunshots.

Needless to say, she and her young family were pretty shaken up.

Interestingly, Roberts told Mumsnet subscribers that home addresses were not likely to have been found via the site as “we don’t collect addresses”.

She also said she remained confident that passwords had not been accessed following the 11-12 August DDoS attack (they may well have been last year following Heartbleed though) but offered the following sound advice out as good measure:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that https:// is being used on login pages
DO use social login to avoid typing passwords
DON’T give out information to any organisations without verifying they are who they say they are

Instead, it appears the hacker may well have acquired data by phishing for it via a fake login page which ultimately may have led to as many as 11 accounts becoming compromised.

So what can we learn from this story?

Several things it seems –

  1. Swatting has just become a ‘thing’ here in the UK
  2. Even a big site like Mumsnet – which has 14 million+ visitors per month – can be susceptible to a DDoS attack
  3. Phishing is still rife and people do fall for fake login pages
  4. A determined hacker will find a way to attack you or your site, even more so if you make it easy for them
  5. There are some pretty messed up people out there

What have you done to defend yourself, your website and your business from those who would do you harm, or at least put you in harm’s way?

No sophistication here: UK job recruitment network hacked, user’s info dumped on Pastebin

While many security pros and casual observers continue to read about the massive breach at Carphone Warehouse (as discussed on BBC radio by our very own Brian Honan — 7 mins in), which may have affected up to 2.4m of their customers, there is another potentially huge story bubbling away in the background.

The Employment Agents Movement (TEAM), the UK’s largest network of independent recruiters – no, I’ve never heard of them either – was apparently targeted over the weekend by a Saudi hacker.

Going by the name of JM511, the hacker appears to have broken with convention, completely tossing out the rulebook which says all major attacks must be sophisticated in order to be effective these days.

Instead, he (or she, we don’t which) relied upon an old-school SQL injection to gain access to the network’s database at jobsatteam.com.

Then, quelle surprise, he dumped all the information on Pastebin, revealing the usual data – names, email addresses, usernames, telephone numbers, that sort of thing.

Also, perhaps just as unsurprisingly, the hacker also published a whole load of passwords. Fortunately, many are encrypted, but the ones that are not make for some interesting reading.

I’ve not had time to go through all 2,500+ records but a quick gander reveals that several recruiters need some help when it comes to creating a strong password. Not heeding common advice which suggests mixing letters, numbers and characters, and definitely avoiding words, several opted to secure their accounts with the password “team”. I can only hope they haven’t reused such a weak password anywhere else online because, if they have, that would be very, very bad.

Oops.

Other password blunders include recruiters securing their accounts with a password that matches their surname – and, yes, some of those surnames are only 4 letters long and are also common dictionary words.

Oops.

Then there is a group of at least four recruiters from the same agency who have all used the same dictionary word to secure their respective accounts.

Oops.

And a similar number from another agency who used two dictionary words together and stuck the number one on the end.

Oops.

Normally at this point I would write something about how we could encourage such people to buy into their own security, by demonstrating how eradicating risky behaviour could help them, as well as the business they work for.

But it seems a bit too late for that so, instead, I’ll ask whether you have considered how your staff are approaching security. Do they lock their accounts down or make it easy for attackers to guess or otherwise compromise their login credentials?

If they need help or education, how will you provide it? Do you need security awareness training?

Once you’ve thought about that, you may wish to consider the fact that the TEAM website is still down today – “Under Maintenance,” so it says.

You may also want to consider the fact that JM511 has used his Twitter account to boast of other attacks against Knapp.com, Assa.au and others, all using SQL injection.

You have protected your corporate databases from SQL injection attacks, right?

While you ponder that, I’ll be busy looking to see how many recently attacked sites have apologised so far – because we all like to know how companies take our security seriously, and sleep well at night when the breached tell us how they are beefing their defences up long after the horse has bolted.

Hackers Penetrate Ashley Madison, Slip Out With Customer Data

Hackers have stolen personal information from online international infidelity site Ashley Madison.

The site, which encourages its members to cheat on their partners, boasts 37 million members, all of whom may be ruing the day they signed up with a service which says “Life is short. Have an affair”.

According to Brian Krebs, those responsible – known as The Impact Team – claim to have compromised… everything. That’s databases, financial records and other data.

Not only that, the group has also begun leaking some of that data on the web, including maps of internal servers, company bank account data and employees’ salary information.

Customer data appears to be safe for now but The Impact Team has threatened to dump everything it has if Avid Life Media, the company behind Ashley Madison, fails to close the site, along with another of its web properties, Established Men.

Should such a disclosure of personal information come to pass, the consequences for actual and wannabee cheating spouses could be severe – the data likely to be leaked apparently includes names and addresses, credit card transactions and secret sexual fantasies.

The Impact Team has taken this course of action, it says, because Avid Life Media allegedly lied about a service charge. Membership of the site is free, as is partial deletion of profiles, but a full delete costs $19 (around £12).

This service, the hackers say, has not been provided to those who have paid up. Instead, the group claims names, addresses and usage histories remain, even after the fee has been paid.

In a statement Avid Life Media Inc confirmed the breach, saying:

We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.

We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.

We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.  As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.

Avid Life Media says it has now successfully removed all hack-related posts and PII about its users by invoking the Digital Millennium Copyright Act. Investigation of the incident continues it says:

At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.

How good the security at Ashley Madison is, we do not know, but what is for sure is that data breaches are either becoming more frequent or are being reported far more often. We can also say that, whatever you think of the service the site provides, the attack is still an illegal action, however well-intentioned those behind it may perceive themselves to be.

The latest breach of an adult-orientated site comes two months after Adult Friend Finder suffered a similar fate and the advice for anyone potentially affected this time around is the same – be on your guard for an increase in spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts.

Hacking Team: 5 Tips For Recovering From The Alleged Breach

Hacking Team, an Italian company that helps governments spy on its own citizens has apparently been hacked itself.

As the story is such big news today I’ll let you get the details elsewhere – Graham Cluley’s article is as good a place to start as any.

Brian Honan on the apparent Hacking Team breach

Instead, here are a few ideas for how the company can respond to the alleged incident:

1. Move quickly

If Hacking Team has indeed been breached then the speed with which they respond could be key to mitigating the effects.

We’ve already seen what appears to be torrents full of corporate data appear on the web and attract an undue amount of attention via social networks.

Given the sensitive nature of their business, and the even more sensitive makeup of their alleged client list, it would make sense to do whatever possible to limit any further exposure of the company’s corporate data.

Taking the website offline until it can be thoroughly checked for the point of entry – and fixed – could be a good starting point.

Hacking Team would also we well-advised to remember it has other public-facing assets on the web too, i.e. Twitter accounts which also appear to have been compromised. Taking those down, along with any other accounts on Facebook, Google or elsewhere would also be prudent until fixes are made.

2. Get help

Normally sound advice to a small company would be to employ the services of a security professional following a breach. Their particular field of expertise could prove invaluable to an organisation whose main line of business lays outside the security field.

In the case of Hacking Team, we can only assume that some top talent is already on the payroll but, given the line they operate in, I’d imagine it has friends within some pretty interesting government departments.

Time to call in some favours?

3. Own it

Telling the world you take security seriously after a breach which demonstrated that you didn’t beforehand is an increasingly lame way of doing business. Given Hacking Team’s client list, that’s not an approach that will win it much repeat business should the hack claims be true – and let’s not forget that the internet is awash with nothing more than opinion right now; I’ve seen nothing to say a breach categorically did occur.

That said, if the claims are true, Hacking Team would be well advised to own up, at least to its customers, and start working towards building their trust again.

Denials and delays never helped anyone.

4. Disclose it

Disclosure is always important after a breach, either for regulatory reasons or simply to maintain goodwill with customers current and future. In this case, if a hack did occur, Hacking Team would likely be talking to clients who already know what’s gone on. Even so, working with the authorities seems like it’s a given.

5. Ensure it doesn’t happen again

This is the big one.

If the company has been hacked once there is every chance it could be targeted again, especially given the nature of its business.

While no-one likes to think about lightning striking once, there is a real danger it could strike twice. If that is a sentiment that applies to Hacking Team, it may wish to brush off its disaster recovery plan, check its security procedures and, depending on how the alleged attack was initiated, look into some staff security training.

Even more importantly, the company may need to employ some expert negotiators if it wishes to continue attracting nation-state contracts for its services.

So there are my thoughts – can you offer Hacking Team any extra tips for coping with the apparent hack it has experienced?

image credit: Reactions to the Hacking Team breach

UK Data Breaches Up, Infosec Spending Leveling Off, Awareness Still Key

A new UK government survey, conducted by PwC in association with Infosecurity Europe, has revealed some interesting findings about data breaches with the key takeaway being the fact that the number of breaches has increased year on year.

breaches

Reversing the small decrease seen in 2014, this year’s report shows that a whopping 90% of large organisations were breached in the previous 12 months (up from 81% last year). The report clearly highlights that it is not only large companies that need to be concerned though – some 74% of smaller firms were also breached (up from 60% in 2014).

number of breaches

While the actual number of breaches per organisation has dropped from 16 to 14 for larger companies and from 6 to 4 for smaller firms, 59% of respondents expect to see more security incidents next year, something that may be explained by a reported leveling out of security spending.

Even though the cost of breaches continues to soar – large organisations among the 650 responding companies reported average losses of £1.46m to £3.14m and smaller respondents quoted average figures of £75k to £311k – many respondents reported a slowdown in the growth of security budgets.

spending

While expenditure was still expected to increase, by and large, less organisations were expecting to receive beefier budgets than the year before. Respondents from smaller firms were far more pessimistic than those from larger players with only 7% expecting additional funding in 2016.

Given the reported slowdown in security spending, it seems likely that organisations will become increasingly interested in getting the best value from their expenditure and, based upon the views garnered by this survey, that may well be in the area of staff training and awareness.

We’re huge fans of both here at BH Consulting and firm believers in their usefulness to both employees and the business as a whole. It is therefore rather disappointing to note that the survey concludes the human element to be a particular area of concern, as it has been for many years now.

awareness

While the surveyed companies reported an increase in staff awareness programs they do not appear to have got their money’s worth from them with many still citing employees as the highest area of risk within their organisation, responsible for the vast majority of breaches and other security incidents.

incidents

Three quarters of large organisations said human error caused at least one breach, up from 58% last year, while almost a third of small companies blamed staff for the same, up from 22% in 2014.

While we can probably conclude that businesses are becoming increasingly aware of the dangers of being breached – incidents are making the news more than ever before – they are continually struggling to mitigate the risks, regardless of size.

evaluate

While budgets and technical controls obviously come into play and affect an organisation’s ability to protect its digital assets, the human aspect still appears to be the area requiring the most work. Staff training and awareness programs are known to be effective but many companies do not appear to have leveraged them to their full potential.

You can read the full report here, or the executive summary here.

Majority Of Data Breach Incidents Not Reported To ICO

According to ViaSat UK, a specialist security and communications company, the number of breaches of the Data Protection Act reported to the Information Commissioner’s Office only represent a tiny proportion of the actual such incidents occurring across the UK.

I can’t say that I’m in the least bit surprised by that.

Data pulled from Freedom of Information (FOI) requests showed there were at least 13,000 thefts (a figure obtained from just 18 of the UK’s police forces) of devices potentially containing sensitive business data between March 2014 and March 2015.

Interestingly, however, the ICO was only informed of 1,089 breaches, meaning potentially thousands of cases went unreported.

Lock them up and throw away the key?

Nah, can’t do that – the Data Protection Act, as things stand, has no provision for dealing with the non-reporting of breaches, meaning we have no way of knowing what may or may not have been stolen, how many people may have been impacted or what, if any, action was taken after the devices were stolen.

Chris McIntosh, CEO, ViaSat UK, said:

We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time.

ViaSat noted that the vast majority of the breaches that were reported to the ICO were made by public sector organisations – primarily the healthcare sector (431) and local government (129) – and very few came from the private business arena.

While statistics can tell you everything – or nothing at all – there is a suspicion that the small number of reported breaches in the private sector could signify that it is seriously under reporting the number it encounters.

McIntosh continued:

It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence [are you listening Mr Cameron?] that none of the 13,000-plus stolen devices represent a threat.

Earlier this week we saw another Freedom of Information request, this time by Egress directly to the Information Commissioner’s Office, which revealed how the number of Data Protection Act breach investigations in the banking industry had risen by 183% over the last two years. Just out of interest, a FOI  request made by Egress in November 2014 showed 93% of all breaches across all sectors were caused by human error – food for thought, eh?

So, what is the solution?

McIntosh said:

The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.

Compulsory reporting, eh? What do you think? Do we need a strict and enforced policy of potential breach reporting or does the answer lie elsewhere?

Given the high levels of human fallibility that often go hand in hand with breaches I’d suggest that legal frameworks aren’t the only answer and that, in fact, businesses should be far more concerned about preventing breaches than dealing with the aftermath when one does occur (though it does of course go without saying that an incident response plan and a compliance with industry regs and legislation are essential).

Adult Friend Finder Breached, Millions Of Records Exposed

Casual dating website Adult Friend Finder, which boasts some 63 million users across the globe, has warned customers that their personal data may be at risk following what appears to be a massive leak.

The breach, which is believed to have exposed around 3.6 million or more records, is currently being investigated by police.

Compromised information is said to include usernames, email addresses, post codes, email addresses, IP addresses and details of people who have indicated they are looking for an extramarital affair.

Californian FriendFinder Networks says it is aware of the “seriousness” of the potential breach which appears to affect both current and deleted user accounts.

Given the nature of the site, and the fact that other personal details such as sexual preferences were leaked, the potential damage to affected users could be severe, as pointed out by Tripwire’s Director of Security and Product Management, Tim Erlin:

Aside from the known value of compromised personal details on the dark web, there’s certainly the potential for blackmail from this breach. If any high profile, public figures or politicians have been using Adult Friend Finder, they might consider how the details they entered there could be used against them.

Commenting on Twitter, our very own Brian Honan came to much the same conclusion:

Honan

Further details about the breach remain few and far between at the moment with the California company merely telling Channel 4 News that it “understands and fully appreciates the seriousness of the issue” and has “already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert”. The company also vowed to take the necessary action to protect its affected customers.

While the lack of further information may be frustrating, especially to anyone who has ever signed up to Adult Friend Finder, it is hardly surprising. As Erlin says:

It’s become a standard pattern to see these breach announcements with minimal details, followed by more information as investigators get involved. It’s not unusual for the scope of a breach to expand as forensics experts are engaged and gain access to data.

So what’s next if you are a victim?

While it is hardly clear-cut at the moment, the experience of one user may give some insight. Shaun Harper says he has been targeted with malware-laden emails since his details were published (you can check whether yours have been leaked here), even though he had already deleted his account and believed all of his information had been removed.

I’d suspect that in addition to infected emails and the aforementioned potential for blackmail, there is also a very strong likelihood that personal information will be sold on to companies and individuals with an interest in creating user profiles, not to mention an increase in personalised phishing emails hitting inboxes.

As Ken Westin, Senior Security Analyst at Tripwire says

The Internet has essentially become a database of You. As more data is breached, this information can be sold in underground markets and can create a very vivid profile of an individual.

Depending on the type of information that is compromised this data can be used to link aliases to other accounts via email or other shared attributes and unveil connections to accounts that were not seen until now. An example would be a politician that may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity, this is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information.

It is also highly likely that affected customers will see an increase in junk email over the next few weeks too – as the stolen records began to circulate on the dark web, hackers said they intend to spam compromised email addresses.

Twenty-Five Million Plus Two Reasons Not To Ignore The Data Breach Risk

A few years ago data breaches weren’t all that common or, if they were, they certainly weren’t being reported with quite the same regularity that they are now.

Nowadays, it seems like another big company is getting hit just about every week – but let us not forget that smaller breaches are also a regular occurrence too.

So what are you doing to mitigate the risk of a breach affecting your organisation?

Nothing?

Hmmm…in that case, this post is for you then as I detail just two incidents from the last week that really ought to have you sitting bolt upright, considering the various costs associated with becoming the next data breach casualty.

AT&T

Firstly, there was the news that one of the biggest mobile carriers in the US – AT&T – had been slapped hard by the Federal Communications Commission (FCC).

Between 2013 and 2014 a series of breaches at call centres in Mexico, Colombia and the Philippines led to the unauthorised disclosure of personal data, including names and Social Security numbers, of some 280,000 US customers.

The FCC’s investigation revealed that over 40 call centre employees had collectively accessed the records so that third parties could submit handset unlocking requests through AT&T’s online portal. According to an FCC official, many of the handsets in question appeared to have been stolen.

As a result of the breach the carrier – which is the second largest in the US – was ordered to hand over $25 million, the largest civil penalty ever handed out in respect of privacy and data security enforcement action.

AT&T was also ordered to file regular compliance reports to the FCC and the company also voluntarily took on the added expense of notifying all impacted customers as well as offering them a year of free credit monitoring.

But it’s not just large settlements that large companies should fear in the wake of a data breach – reputational damage can be an equally big issue.

White Lodging Services

Take White Lodging Services, for example.

The Indiana-based company provides hotel management services across 14 properties, putting it on an altogether different scale to AT&T, but its business may have been damaged just as much by the news that it has suffered a payment card breach.

Can you imagine how prospective customers must feel, knowing that the company’s point-of-sale systems were compromised between 20 March, 2013 and 16 December of the same year?

Not great, I bet, though the relatively small size of the company may have kept it out of the largest news circles.

Unfortunately for White Lodging Services, some things in the past refuse to stay there, as its systems were again compromised on 27 January this year.

The company says the latest attack is not related to the previous one and it’s hard to tell whether customers should be reassured or increasingly worried about that to be honest.

That the company’s POS systems could be compromised once is worrying but perhaps not entirely surprising, given how the likes of Target, Home Depot and Neiman Marcus have all suffered a similar fate in the recent past.

But twice?

Something is going on here and, in the absence of further information from the company or comment from law enforcement, it’s hard to say what.

In any event, I would suspect that potential customers of White Lodging Services may well have heard the news by now and may be considering their next moves and whether they may be better off staying elsewhere.

That’s not to say that the company has done anything wrong – it may just have been the unfortunate victim of a very skilled attacker (twice, no less) – but the consequences may ultimately be no less damaging than the penalty handed to AT&T.

So, again, the question is, what are you doing to mitigate the risk of a data breach – a crime not limited to the United States – affecting your firm? And do you have an incident response prepared in case the worst does happen?

PCI What? Ex-Home Depot Staff Told Friends To Use Cash Not Cards

The story behind the Home Depot breach continues to unravel bit by bit and as the pieces of the jigsaw start to fit together, the resulting picture doesn’t look pretty.

Not one bit.

According to an article in the New York Times, the situation appears to have been little more than shambolic in my opinion, with former staff and security team members telling the publication that defence mechanisms were out of date and that security response was lacking.

The timeline appears to have started around seven years ago when the company began employing Symantec antivirus 2007, only to never subsequently update it. The New York Times also reports that networks were not consistently monitored for signs of attack and that system and vulnerability scans were not only performed erratically, but were also not all-encompassing as security staff were blocked from checking certain systems, including those associated with handling customer information.

The fact that the company failed to perform even the most basic of scans on a regular basis, in conjunction with more than 12 customer information databases being outside of their remit, is alarming, if not surprising, to me at least.

Whether the company complied with payment card rules (it says it has since 2009) that mandate that such a large retailer should conduct comprehensive scans at least quarterly is unknown, as is the question of whether Home Depot employed the services of QSAs to regularly test compliance, but the allegations put forward by former employees certainly suggest the answer may be a resounding no.

In fact, things were so bad at Home Depot that employees reportedly left the company after being told by managers that the chain “sell[s] hammers” when they asked for new software and training.

Even when the company did make a positive step in 2012 by hiring a computer engineer, Ricky Joe Mitchell, to help oversee security at its 2,200 stores, things didn’t exactly go to plan – he was subsequently arrested and banged up for 4 years in a federal jail after he was found to have deliberately wiped the servers at his previous company.

Former security staff at the chain told the New York Times that their confidence in the company’s IT systems was so low that they even resorted to telling friends to avoid using credit cards to make payments, instead recommending cash as a safer alternative.

The company did react eventually though, bringing in experts from Voltage Security, but only after the Target breach was discovered. The move to roll out EMV credit card security and the deployment of encryption across company systems came too late though as the attackers had already gained entry to the systems, leading to the theft of 56 million customers’ payment cards. Such a haul eclipses the 40 million that were snaffled during the Target breach. Experts have already seen some information for sale on carder forums and the total value of the stolen data has been estimated to be worth up to $3 billion.

And, as if things couldn’t get any worse, Home Depot’s email to customers, advising them of the breach, has only just gone out, long after most of the world heard the news from other sources.

Also, as you can see, its somewhat short of useful, actionable advice:

Dear Valued Customer,

As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores. On September 18, 2014, we confirmed that the malware used in the breach has been eliminated from our U.S. and Canadian stores and that we have completed a major payment security project that provides enhanced encryption of payment data at point of sale throughout our U.S. stores, offering significant new protection for customers. There is no evidence that debit PIN numbers were compromised or that checks were impacted. Additionally, there is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.

We are offering customers who used a payment card at a Home Depot store in 2014, from April on, 12 months of free identity protection services, including credit monitoring, beginning on September 19, 2014. We apologize for the frustration and anxiety this may cause you and we thank you for your patience during this time.

For more information, please visit our website where you’ll find frequently asked questions, helpful tips, our Important Customer Notice, and information about how to take advantage of the free identity protection services, including credit monitoring. Should you have questions regarding the authenticity of this email or any additional questions over the coming days and weeks, please call 1-800-HOMEDEPOT.

We hope this information is useful and we appreciate your continued support.

The Home Depot

How do you rate Home Depot’s incident handling and response in this case?

Home Depot Investigates Breach. Slow Adoption Of Chip-And-Pin To Blame?

Another day, another breach.

This time it looks like US DIY chain Home Depot may have been compromised along with the possibility that customer credit and debit card data may have been snatched.

The possible breach was first reported by Brian Krebs who later updated his original post to suggest that the breach may extend back to April or May of this year.

The home improvement chain has subsequently revealed that it is investigating what it refers to as ‘suspicious activity’ and has also confirmed that it is working with “banking partners and law enforcement” as part of its own inquiry into what may have transpired.

Paula Drake, a U.S. spokesperson for Home Depot, said:

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further.”

Krebs, who broke the Target data breach story last year, said that the it was too early to say how many stores may have been affected but the fact that Home Depot has 2,200 outlets means that:

“This breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”

If the breach is confirmed, Home Depot would be the latest, and possibly largest, retailer to suffer a loss of sensitive customer information, which may further alarm shoppers who are likely already concerned about the ability of large firms to keep their private data safe.

Krebs said that a number of banks became aware that the chain may have been breached after a massive new swathe of payment card data was made available on underground websites. He added that there are some indications that the alleged attackers in this case may be the same group of Russian and Ukranian hackers that were responsible for the aforementioned Target breach, as well as other high profile compromises at P.F. Chang’s and Sally Beauty. The motivation for the attack, according to Krebs, could be some sort of protest against the US and Europe in the wake of sanctions levied against Russia following its moves into Ukraine.

Whilst data theft is likely to continue within the retail industry I am of the opinion that US firms are more at risk than others right now due to the slow adoption of the chip-and-pin system in America.

Until that system is fully integrated in the US, the fact that magnetic card strips are still scanned as part of the payment process makes them an easier target at the point of sale.

Or, as Ken Westin, security analyst at Tripwire, says:

“It’s safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic. These breaches are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.

Organized criminal syndicates are actively targeting U.S. retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected.

Pretty much all of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity. They then map the activity back to specific retailers as the common point of origin.”