Home Depot recently announced the the malware leveraged in a recent credit card breach at its stores has been eliminated from its U.S. and Canadian networks, and that it has implemented enhanced encryption of payment data at the point of sale in all of its U.S. stores, with plans to implement the same in its Canadian stores by early 2015.
“The company’s new payment security protection locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers,” Home Depot said in a statement [PDF]. “Home Depot’s new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms.”
The company says its ongoing investigation has determined that the cybercriminals used “unique, custom-built malware to evade detection,” which was in place from April to September 2014 — and, notably, that information on a total of approximately 56 million payment cards may have been accessed.
At the current crime rate, ESET senior security researcher Stephen Cobb said by email, “I suspect that everyone in America with a payment card, credit or debit, may experience at least one card replacement due to a PoS breach by the time we reach the first anniversary of the Target breach later this year.”
And Rapid7 global security strategist Trey Ford noted that this is why big box retailers make such attractive targets for sophisticated cybercriminals. “They are able to invest time in researching their targets to find a way into the network,” he said. “Once they’re in, they stay quiet and fly unobserved under the radar, potentially for months at a time. … It’s well worth the planning and patience involved for the attacker when the potential pay day is this significant.”
“56 million cards may not be as big as the huge Heartland Payment Systems breach, but it eclipses both the TJX and Target breaches, and that’s going to cost Home Depot a lot of money,” Ford added. “We can expect other large global retailers, such as Wal-Mart, Carrefour, Tesco and Metro AG, will be paying close attention as the investigation continues.”
RedSeal Networks chief architect Steve Hultquist said by email that Home Depot’s commentary about the sophistication of the malware used to target its systems makes it clear that traditional cyber defenses are no longer enough. “The complexity of systems and networks today, together with the speed of innovation and change, mean that enterprises must change the way they think about defending themselves,” he said.
“They have to know all the potential access into and out of their network before the attackers find them,” Hultquist added. “They must know that all security controls are in the right places, configured as intended, and producing the overall network security architecture and defenses intended. It’s no longer responsible to believe the network is understood. Enterprises must use automation to [assure] themselves and their stakeholders that they understand it and have done what they can to defend their customers from attack.”