Home Depot announced Thursday that a breach at its U.S. and Canadian stores over a six-month period this year may have put an estimated 56 million payment cards at risk.
That would make it the largest compromise of debit and credit cards in the string of cyberattacks that have hit retailers over the past year. The attack that hit Target stores during the 2013 holiday season may have breached as many as 40 million cards, Target has said, although it was later revealed that the personal information of an additional 70 million consumers was also accessed.
Home Depot also said for the first time that the malware that facilitated the breach of its payment terminals “has been eliminated from the company’s systems.”
The home improvement retailer says its ongoing investigation has revealed that cybercriminals use a custom-built malware to evade detection once implanted on the company’s systems.
The string of breaches that have hit U.S. retail stores are thought by many experts to be the work of organized gangs of cybercriminals.
“Every indication is that it’s very much Eastern European,” says Johnson. “They’re incredibly organized. They may not necessarily use advanced technology, but they are very meticulous about their methods.”
“They do their due diligence in researching their targets and find a way into the network,” added Trey Ford, global security strategist at cybersecurity firm Rapid7. “Based on the information available, it’s a sophisticated, well-planned attack designed for a very significant pay day.”
And the 56 million payment cards potentially breached at Home Depot speaks to why big box retailers are great targets for cybercriminals, he says. Cybercrime is essentially a business: Hackers follow the money.
“You can be confident that the largest global retailers such as Wal-Mart, Carrefour, Tesco and Metro AG are paying close attention as the investigation continues,” Ford says.
Home Depot said Thursday that it has completed a major security project that fully encrypts its payment data at its point-of-sales terminals in U.S. stores, an upgrade that was launched in January of 2014 -- before the breach appears to have begun. Home Depot expects to complete the roll out of a similar system in its Canadian stores by early 2015.
Home Depot’s Canadian stores are already enabled with “Chip and PIN” -- a more secure credit card technology that is used in much of the world, but has not yet been widely deployed in the United States. Major payment processors have set an October 2015 deadline for retailers to install such measures or be liable for fraud caused by using outdated methods. Home Depot says “Chip and PIN” will be deployed in all of its U.S. stores by the end of the year.
The company is offering free identity protection services -- including credit monitoring -- to customers who used a payment card at a Home Depot store after April of this year.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Home Depot chief executive Frank Blake in a statement.
Unfortunately, beyond regularly checking their bank or credit card statements, experts say there’s little individual consumers can do to protect themselves at this point. “There’s not a whole lot of power consumers have,” says Ben Johnson of cybersecurity firm Bit9+Carbon Black. Even if consumers start monitoring their accounts now, they are still susceptible to fraudulent activities that may have occurred during the months before the breach was discovered, he says.
Johnson also worries that the frequency of breaches and the fact that payment card processors often end up covering the losses may desensitize consumers. “If people are exposed to this every week and not feeling it in their wallet, they may not really care.”