Home Depot says, “Er, yes, we did have a breach actually”‏

Home Depot

Last week, we wrote about a possible data breach at Home Depot, the world’s largest DIY chain.

Home Depot has 2266 stores across the United States, Canada and Mexico, so a data breach caused by a Target-type malware infection right across the company’s network would be a big deal indeed.

Crooks effectively took over Target’s point-of-sale terminals throughout the USA in 2013, and were able to harvest about 40,000,000 credit card records, apparently in less than three weeks.

You’ll find various guesses at how long Home Depot has been pwned, from “more than three months” to “as many as six months.”

That has led to speculation that the Home Depot breach may yet turn out to be bigger than Target’s – the company has more stores than Target, and may have given the crooks significantly more time to harvest financial data.

(Target’s breach, however, was at the very peak of the US retail season, between Black Friday and Christmas.)

Breach now officially confirmed

Just how big and bad Home Depot’s woes will turn out to be is still unknown; all we know so far is that the company has officially confirmed that, yes, there was indeed a breach:


The Home Depot, the world's largest home improvement retailer, today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores.

There is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.

The silver lining is that is sounds as though the payment devices themselves, where you swipe your card and enter your PIN if you have one, were not taken over by the crooks:

While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised.

In US-style credit card transactions, the card data sent from the payment device to the cash register, typically a Windows-based computer, is pushed unencrypted over a USB cable, as though typed on a keyboard.

This means that malware on cash registers can keep its eye on data arriving in memory (credit card data is rather easy to recognise as it passes by, because it has a well-defined structure) and steal it.

Trojan Horses of this sort are wryly known as a “RAM Scrapers“.

The credit card data is only encrypted after it reaches the cash register, a cryptographically poor design given that cash registers are generally easier for crooks to attack successfully than the payment devices themselves.

Debit card PINs are not transmitted in cleartext from the payment device to the rest of the payment network, so they can’t be scraped from RAM along with the card data, making PINs harder for the crooks to harvest.

→ Never say never, of course. Hardware payment devices can be compromised and substituted, either in the supply chain, so they reach retail stores ready-wired for crime, or in place at the store.

Home Depot has reassured its shoppers by emphasising that “no customers will be responsible for fraudulent charges to their accounts,” and is offering the usual after-the-fact precautions such as free credit monitoring.

We suggest, if you have shopped at Home Depot stores in or after April 2014, that you keep a closer-than-usual eye on your credit card statements, just in case.