Another day, another breach.
This time it looks like US DIY chain Home Depot may have been compromised along with the possibility that customer credit and debit card data may have been snatched.
The possible breach was first reported by Brian Krebs who later updated his original post to suggest that the breach may extend back to April or May of this year.
The home improvement chain has subsequently revealed that it is investigating what it refers to as ‘suspicious activity’ and has also confirmed that it is working with “banking partners and law enforcement” as part of its own inquiry into what may have transpired.
Paula Drake, a U.S. spokesperson for Home Depot, said:
“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further.”
Krebs, who broke the Target data breach story last year, said that the it was too early to say how many stores may have been affected but the fact that Home Depot has 2,200 outlets means that:
“This breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”
If the breach is confirmed, Home Depot would be the latest, and possibly largest, retailer to suffer a loss of sensitive customer information, which may further alarm shoppers who are likely already concerned about the ability of large firms to keep their private data safe.
Krebs said that a number of banks became aware that the chain may have been breached after a massive new swathe of payment card data was made available on underground websites. He added that there are some indications that the alleged attackers in this case may be the same group of Russian and Ukranian hackers that were responsible for the aforementioned Target breach, as well as other high profile compromises at P.F. Chang’s and Sally Beauty. The motivation for the attack, according to Krebs, could be some sort of protest against the US and Europe in the wake of sanctions levied against Russia following its moves into Ukraine.
Whilst data theft is likely to continue within the retail industry I am of the opinion that US firms are more at risk than others right now due to the slow adoption of the chip-and-pin system in America.
Until that system is fully integrated in the US, the fact that magnetic card strips are still scanned as part of the payment process makes them an easier target at the point of sale.
Or, as Ken Westin, security analyst at Tripwire, says:
“It’s safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic. These breaches are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.
Organized criminal syndicates are actively targeting U.S. retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected.
Pretty much all of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity. They then map the activity back to specific retailers as the common point of origin.”