Sophos Cloud Optix
Lots of people who speculated about the source of the credit card data breach at the Home Depot turned out to be wrong.
But those who suggested that Home Depot’s breach might end up bigger than Target’s turned out to be spot on.
As the home improvement retail giant revealed in a statement on Thursday, 18 September 2014, 56 million unique payment cards were compromised in the attack.
The attack on Target in late 2013 resulted in the theft of 40 million credit and debit card numbers, although Target also managed to lose 70 million other customer records.
However, despite some initial reports that malware responsible for the compromise of the Home Depot’s point-of-sale (PoS) systems was the same malware that hit Target, that’s apparently not the case.
Instead, malware on the Home Depot’s PoS registers was “unique, custom-built malware” that “had not been seen previously in other attacks,” the company said.
The malware had been present on Home Depot systems since April 2014 and was finally eliminated on 13 September 2014.
The company said it began investigating the breach on 2 September 2014 after it was notified by banking partners and law enforcement of suspicious activity, and has worked with security firms and the US Secret Service to close off the attack.
In response, the Home Depot has rolled out “enhanced encryption” in all of its US stores to make credit card data unreadable, and will complete adoption of EMV Chip-and-PIN technology by the end of the year.
Canadian stores, which are already enabled with Chip and PIN technology, will receive the new encryption system in 2015, the company said.
As is becoming routine in the wake of recent data breaches at Supervalu, The UPS Store and others, the Home Depot issued an apology and said it is offering free credit monitoring services to those affected.
The company estimated that the cost of its investigation, credit monitoring, customer outreach, call center staffing and legal costs will add up to about $62 million, about $27 million of which it expects to have reimbursed by insurers.
Yet the total cost of the breach could end up much, much larger.
As the company said in its updated earnings forecast, future costs could include a host of other liabilities:
Costs related to the breach may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs; liabilities related to the company’s private label credit card fraud and card reissuance; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities.
Silver linings
It might be hard to see the good in such a costly data breach that has put potentially tens of millions of card-holders at risk of fraud, but the Home Depot’s mega-breach should, hopefully, be the final nail in the coffin for the old magnetic stripe credit cards predominant in the US.
Magstripe cards, as they are often called, are vulnerable to the type of attack seen at the Home Depot and Target because they rely on 50-year-old technology that transmits card numbers that can easily be stolen and used anywhere.
EMV Chip and PIN cards, on the other hand, use a unique code for each transaction, so even if that code is compromised it is useless to attackers for making fraudulent charges.
Magstripe card readers are also vulnerable to so-called RAM scraper malware that steals cleartext payment card data out of RAM (Random Access Memory) on PoS computers.
The Home Depot said the roll-out of its enhanced payment card system required “writing tens of thousands of lines of new software code” and adding 85,000 new pin pads in its stores – undoubtedly another very costly undertaking.
It’s unfortunate that US banks and retailers have lagged far behind their counterparts across much of the rest of the world in adopting more secure payment card technology – in part due to the high cost of replacing so many thousands of PoS devices.
As we can all see clearly now, the cost of not doing so is enormous and rapidly mounting.
If you’re interested in learning more about the Home Depot breach, how attacks on retailers work, and how to prevent data loss, watch a webcast featuring Sophos Senior Security Advisor Chester Wisniewski.
Chet’s webcast, Beyond the Home Depot Hype: How to stop credit card thieves and opportunistic malware, was recorded on Tuesday, September 23, 2014 at 1pm EDT (2014-09-23T13:00-4), and lasts an hour.
Image of broken hammer courtesy of Shutterstock.
It is becoming abundantly clear that there is no way to absolutely secure CC data. Do we need to go back to cash?
Cash is cool…until you get arrested for passing counterfeit money at a store by an off duty cop working security. The issue is that the quality is now good enough to be undetectable by the average person. Essentially, you could have a counterfeit ten dollar bill in your wallet right now that you received in change from a store.
I don’t know the law in the US, but I’m fairly sure that in the UK you aren’t guilty of passing counterfeit money if you have no idea that it’s counterfeit. We have about 45 million fake £1 coins in circulation.
John, the answer seems to be Yes! I already increased my cash usage at many stores now. One of the purposes of having credit/debit cards was so that someone wouldn’t rob you and take your cash. But apparently, thats irrelevant now.
If you do get mugged and your cash is stolen, will the bank refund you?
Thank goodness for the second amendment, I can pay with lead if I run out of cash.
John and Roy, there are ways to secure CC data. But there are many factors to consider. 1. People, in general, are lazy. Swipe, enter pin or sign, and leave. More steps than that, people will complain. 2. Companies generally put immediate profit over security. We have also seen in the past that profit is over safety. Companies just don’t care unless they can see an immediate profit gain from it. They usually deal with consequences of such poor decisions later. 3. Software and hardware developers also have the same concept. The quicker the product is put out, the faster profits start to role in. Any security issues are dealt with later as they pop up. 4. America is increasingly relying on credit. Better have a good credit report if you want a car, house, or even a job. With some employers, if your credit score falls below a certain number, you may lose your job.
So going back to strictly cash can be tough in today’s American society. The data breaches will continue to happen as long as corporations continue to be stupid for profits.
Yes, but that isn’t acceptable in the 21st century. I know companies will be happy to tread along in the current scenario knowing they could still get customers in the door per their product (in this case home depot puts people in a corner because its a hardware store). But I won’t overlook this. And no one else should either.
Here is the dirty truth about POS systems. Most systems are based on waaaaay outdated software. A lot of them were still DOS based around 2005. Of course when I designed the feed to do creditcard reconciliation for the company I worked for at the time I got with a fellow geek and encrypted the files. If anyone needed to review the actual data on the file for errors you needed to talk with the CIO to get clearance, a copy of the key, then when you were done a new set of encryption keys were created and stored in the safe. I can honestly see a corporation having problems at a store or two due to a keylogger, but a breach at the corporate level mystifies me.
How many of the companies that have been hacked are ones that store our card numbers in their system. I know that at Walmart I do not have to have the card I used to return an item if I have the receipt. They just need to scan the receipt to credit the card back. I have been wondering this since returning an item at Auto Zone which actually has to have the card to issue a refund.