Home Depot has announced that a recent data breach, which took place from April to September of 2014 and exposed approximately 56 million payment cards, also exposed separate files containing approximately 53 million email addresses.
The files containing the email addresses did not contain passwords, financial information or any other sensitive personal information.
While Home Depot says it’s “making every effort” to notify all customers whose email addresses were stolen, the company also stated in a FAQ [PDF], “Even if you do not receive an email notification from us, it’s safe to assume your email address could have been stolen.”
“In all likelihood this will not impact you,” the company said in a statement. “But, as always, it’s important to be on guard against phishing scams that are designed to trick you to provide personal information in response to phony emails.”
“It is important not to give out personal information on the phone, through the mail or on the Internet, unless you have initiated the contact and are sure of who you’re dealing with,” the company added. “Similarly, you should not click directly on any email links if you have any doubts about whether the email comes from a legitimate source.”
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, told eSecurity Planet by email that the most significant threat resulting from the stolen emails is, of course, the likelihood of phishing attacks.
“Spear phishing tactics utilizing the knowledge that the email addresses belong to Home Depot customers is a likely outcome, resulting in millions of people potentially receiving fake emails claiming to be from Home Depot requesting either the opening of an infected/malicious file or requesting login credentials,” Kujawa said.
Home Depot also announced that in the previously-disclosed breach, the attackers leveraged a third-party vendor’s user name and password to access Home Depot’s network, though those credentials alone didn’t provide access to Home Depot’s point of sale devices.
“The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada,” the company stated [PDF].
HyTrust president and co-founder Eric Chiu told eSecurity Planet by email that the Home Depot breach is yet another example of a significant data breach happening from the inside. “Insider threats are not only the number one cause of breaches but also lead to the biggest damage; this is because once on the network, an outside attacker looks like any other employee and can take their time siphoning off data without being seen,” he said.
“Also, as we have seen from other high-profile breaches, data is the new currency — not only are attackers looking to use credit cards to make fraudulent charges, but also use email addresses for phishing attacks in order to trick consumers into providing more information or install spyware on their computers,” Chiu added.
Lancope CTO TK Keanini told eSecurity Planet that the supply chain is an attractive target for hackers for two reasons: (1) it often has more access than it really should, and (2) margins are so low that suppliers are forced to cut costs by cutting security spending. “It is going to get a lot worse before it gets better,” he said.
“I’ve been saying for some time that attackers are better at systems thinking than defenders,” Keanini added. “Until defenders are better at thinking about securing systems in innovative ways, this will continue to be a problem. I think by now retail understands that cybercrime is a part of the business, and now it is time to model in that persona in their business continuity plans.”