This past Thursday, after weeks of speculation, Home Depot, which calls itself the world’s largest home improvement retailer, finally announced [pdf] the total damage from a breach of its payment system: At its 1,157 stores in the U.S. and Canada, 56 million unique credit and debit cards were compromised. This is said to be among the three largest IT security breaches of a retail store, and ranks with some of the largest security breaches of all time.
According to Home Depot’s press release, the company confirmed that the criminal cyber intrusion began in April and ran into September, and “used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners.”
The company says that it has now removed all the malware that infected its payment terminals, and that it has “has rolled out enhanced encryption of payment data to all U.S. stores.” The enhanced encryption approach, Home Depot states, “takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.” It is a bit curious that the company says “virtually useless” and not “completely useless,” though.
Canadian stores, on the other hand, will have to wait a bit longer. While Home Depot’s Canadian stores have point-of-sale EMV chip and PIN card terminals, “the rollout of enhanced encryption to Canadian stores will be completed by early 2015,” the company says. Canadian Home Depot stores were at first thought to be less vulnerable because of the chip-and-pin terminals being in place, but that apparently hasn't been the case. For some reason, the company is refusing to disclose the number of Canadian payment cards compromised, the Globe and Mail says. The Globe and Mail estimates the total number of cards compromised to be around 4 million.
Home Depot goes on to say in its press release that it has no evidence “that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.”
As usual in these situations, Home Depot “is offering free identity protection services [for one year], including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.” The company also apologized to its customers “for the inconvenience and anxiety this has caused.”
Home Depot’s data breach was first made public on 2 September by Brian Krebs, the former longtime Washington Post reporter with amazing IT security contacts, who now publishes a must-read security website called Krebs on Security. Several banking sources told Krebs that “a massive new batch of stolen credit and debit cards that went on sale [that] morning in the cybercrime underground,” with Home Depot looking like the source. Krebs went on to write that:
There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store — rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.
In fact, it wasn’t until 8 September that Home Depot confirmed that it had in fact suffered a breach. Krebs, who has since written about the breach several times, recently wrote that the breach may not be as severe as indicated (nor as severe as it could have been). Sources have indicated that the malware used — which looks like a variant of what smacked Target late last year — was “installed mainly on payment systems in the self-checkout lanes at retail stores.” The reasoning is that if the malware had penetrated Home Depot’s payment system to the extent that Target’s systems were breached, many more than 56 million payment cards would have been compromised.
Sellers of compromised Home Depot card data are targeting specific states and ZIP codes in the hopes that buyers of the stolen cards will raise fewer red flags in the credit card and banking fraud algorithms. For instance, some 52,000 for Maine Home Depot stores, 282,000 for stores in Wisconsin, and 12,000 for those stores in Minnesota have been offered for sale. Card prices seem to be ranging mostly from $9 to $52 apiece, although for $8.16 million, one could purchase all of the stolen payment card numbers from Wisconsin, the Milwaukee-Wisconsin Journal Sentinel reported. The Journal Sentinel noted that its investigation found that:
Prices start at $2.26 for a Visa debit card with an expiration date of September 2014. The most valuable cards are MasterCard platinum debit cards and business credit cards. The most expensive card compromised in Wisconsin, a MasterCard valid through December 2015, was advertised at $127.50.
Interestingly, while Home Depot’s 56 million payment card breach is larger than Target’s 40 million payment card breach, the severity of the blowback so far is much more muted on the part of customers and investors. Part of the reason seems to be that the discovery of the breach happened at the end of summer, a slow shopping time for Home Depot, while Target’s was announced during the prime holiday buying period, which spooked its customers.
Further, investors have figured that Target’s breach cost the company some $150 million, excluding the $90 million in insurance reimbursements—a sum the company could ill afford given its ongoing retail difficulties. A similar sum may dent Home Depot’s bottom line, but the company is better placed financially to absorb the damage. The company stated in its press release that it has spent at least $62 million in dealing with the breach so far, with some $27 million of it covered by insurance. Home Depot says it doesn’t know how much more it will need to spend, but I suspect it could be an additional couple of hundred million dollars before all is said and done.
A third reason for the muted response may be that customers are now becoming inured in the wake of so many point-of-sales data breaches. For example, last May, the Ponemon Institute was cited in a CBS News report as stating that some 47 percent of adult Americans have had their personal information compromised in the past year. Given the Home Depot breach, as well as many others since, the number is probably even higher now. How many people had their personal information compromised multiple times is unknown, but I suspect it isn’t an insignificant number.
Home Depot’s financial and reputational pain might increase significantly, however, if the joint Connecticut, Illinois, and Californian state attorneys general investigation into the breach decides there is sufficient cause to sue Home Depot. As expected, at least one class action lawsuit each has been filed in both the United States and Canada, and more can be expected. Banks may also decide to sue Home Depot to cover the cost of any credit or debit cards they have to replace and for other financial damages, like some did against Target and earlier against TJX.
As reported by both The New York Times and Bloomberg’s BusinessWeek, Home Depot was repeatedly warned by its own IT security personnel about its poor and outdated IT security since 2008. Corporate management reportedly decided not to increase immediately the company’s security capabilities using readily available systems even in the aftermath of the Target breach and a couple of Home Depot stores being hacked last year, incidents that were not publicly disclosed until now. While the company did eventually decide to upgrade its payment security systems, the implementation effort didn’t get started until April, the same month as the breach. In addition, the papers report, Home Depot seemed to have weak security monitoring of its payment system, even though company management knew it was highly vulnerable to attack.
That Home Depot’s payment system was left vulnerable is interesting, because the company spent hundreds of millions of dollars improving its IT infrastructure over the past decade. Perhaps with revenues of $79 billion in 2013 the company felt it could easily afford the costs of an attack, and therefore, there was no urgent rush to increase its security posture. Brian Krebs notes this apparent lack of urgency as well. He says that even though the company was alerted to something being massively amiss by banks, “thieves were stealing card data from Home Depot’s cash registers up until Sept. 7, 2014, a full five days after news of the breach first broke.”
That alone speaks of an arrogance that belies Home Depot's public statements about how it takes the privacy and security of its customers’ personal information “very seriously.” Local Home Depot store personnel I have spoken with seem very ill-informed concerning the breach and what customers should do about it, which also seems to me a sign of a less than Home Depot’s advertised customer-caring attitude.
Home Depot’s seemingly cavalier IT security attitude isn’t unique, of course. Target didn’t bother to investigate alerts from its advanced warning system showing that it was being hacked until it was JTL — just too late. Just last week, eBay was being slammed again for its “lackadaisical attitude” toward IT security after multiple instances of malicious cross-site scripting that have been unabated since February were found on its UK website. Only after the BBC started asking eBay questions about the scripting issue did it decide that perhaps it should take them seriously. You may remember, it was only last March when eBay, which also proclaims to take customer security “very seriously,” asked all of its users to change their passwords after a cyberattack compromised its database of 233 million usernames, contact information, dates of birth, and encrypted passwords.
To tell you the truth, every time I read or hear a company or government agency claim in a press release that, “We take your security seriously,” in the wake of some security breach, I shake my head in disbelief. Why not just state honestly, “We promised to take your security seriously and we obviously failed to take it seriously enough. We’re sorry and we will be better prepared from now on.” Alas, that level of candor is probably much too much to ask.
Contributing Editor Robert N. Charette is an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Along with being editor for IEEE Spectrum’s Risk Factor blog, Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.