Home Depot said 56 million of its customers had their credit cards lifted in a mysterious cyber attack that breached its point-of-payment systems in April and was discovered by the home retailer five months later.
Home Depot found out about the breach September 2, after banking partners noticed large batches of credit card numbers being dumped by cyber thugs onto underground marketplaces like Rescator.cc and traced them to Home Depot. This means the hackers were able to operate within their systems unmolested for half a year.
Once the Secret Service-led investigation kicked into high gear, it took Home Depot and investigators more than a week to declare that there had been an actual penetration of the systems. The attack bore similarities to the colossal breach of Target in December that claimed nearly 70 million credit cards.
Home Depot expressed confidence that the investigation had ended with new encryption protocols introduced.
The breach affected all of Home Depot’s 2,220 U.S. and Canadian outlets. Predictably, in a press release that just dropped, Home Depot said it was moving to a so-called EMV “Chip and Pin” technology that will ostensibly make it harder to penetrate the firewall. European retailers have been using the technology for years, but many cyber security experts say even that won’t stop the breaches.
VentureBeat reported last week that cyber experts had identified the malware, called BlackPOS, as an enhanced version of the virus that hit Target. Criminal coders enhanced the malware from the Target breach in a bid to stay one step ahead of forensic authorities.
Head of intelligence at Malwarebytes Adam Kujawa told VentureBeat that without question cyber criminals had already moved on to make a newer malware strain now that investigators had uncovered it.
“The newer BlackPOS utilized an additional application that it drops in order to send the stolen data back to the command and control server, while the original BlackPOS did this simply by utilizing a line of code within the already running malware process,” Kujawa noted.
From Home Depot’s press release:
“Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners. The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards. The malware is believed to have been present between April and September 2014. The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”
Home Depot chief Frank Blake raised eyebrows because, at the outset of the investigation, he barely spoke about the breach at a Goldman Sachs-sponsored retail convention in New York. Target CEO Gregg Steinhafel was shown the door after the dust settled in the Target attack, albeit with a $15 million golden parachute.
Blake did his best Thursday to put on a brave face in a press release:
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”
The company announced that Voltage Security would from now on provide security to protect the IT infrastructure and said that all security enhancements at its stores had been completed.