According to investigative reporter Brian Krebs, an apparent credit card breach at Home Depot may impact customers at almost all of the company’s approximately 2,200 stores nationwide.
On September 2, 2014, Krebs reported that sources at several banks had told him Home Depot stores may be the source of a massive new batch of stolen credit and debit card forums that had gone on sale that morning on an underground forum.
“There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others,” Krebs wrote at the time, noting that the breach may extend as far back as late April or early May 2014 and could well be significantly larger than the Target breach in late 2013.
On September 3, 2014, Krebs reported that there’s a 99.4 percent overlap between the zip codes of the credit cards being offered for sale and the zip codes of U.S. Home Depot locations. “A 99+ percent overlap in zip codes strongly suggests that this source is from Home Depot,” ICSI researcher Nicholas Weaver told Krebs.
“To put that in perspective, the Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers,” Krebs wrote. “If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target.”
Still, it’s important to note that Home Depot hasn’t yet confirmed that a breach has taken place.
“We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. … If we confirm a breach has occurred, we will make sure our customers are notified immediately,” the company said in a statement on its website.
RedSeal Networks chief evangelist Steve Hultquist said by email that potential breaches like this one demonstrate the sophistication of the attackers and the investments they’re making in their attacks. “These investments mean that enterprises must likewise increase their defensive investments, especially in the analysis of potential attack vectors,” he said.
“Simply reacting while attacks are in progress is insufficient,” Hultquist added. “Each enterprise must know its network security architecture and have automated analysis to ensure that the entire end-to-end network complies with its policies. Not doing so is effectively agreeing to be attacked in unknown ways and having to deal with the impacts of a breach.”
And HyTrust president and co-founder Eric Chiu said by email that customers have a right to expect better security from retailers. “The old adage ‘fool me once, shame on you; fool me twice, shame on me’ should be a wake-up call to corporate executives, boards of directors, and IT and security leaders, as well as regulators and law enforcers everywhere,” he said.