Home Depot data breach could be the largest yet

  • Copyright 2014 New York Times News Service (via Peninsula Daily News)
  • Tuesday, September 9, 2014 10:05am
  • News
The security breach at Home Depot continued

The security breach at Home Depot continued

Copyright 2014 New York Times News Service (via Peninsula Daily News)

NEW YORK —

Home Depot has confirmed that hackers had broken into its in-store payments systems, in what could be the largest known breach of a retail company’s computer network.

The retailer said the exact number of customers affected was still not clear.

But a person briefed on the investigation said the total number of credit card numbers stolen at Home Depot could top 60 million. By comparison, the breach last year at Target, the largest known attack to date, affected 40 million cardholders.

The breach may have affected any customer at Home Depot stores in the

United States and Canada from April to early last week, said Paula Drake, a company spokeswoman. Customers at Home Depot’s Mexico stores were not affected, nor were online shoppers at HomeDepot.com. Personal identification numbers for debit cards were not taken, she said Monday.

Home Depot has not yet confirmed other details.

The retailer operates 1,977 stores in the United States and 180 in Canada. That is about 400 more than Target had when it was compromised.

Target’s breach went on for three weeks before the company learned about it, while the attack at Home Depot went unnoticed for as long as five months.

“Honestly, Home Depot is in trouble here,” said Eric W. Cowperthwaite, vice president of Core Security, an Internet-security consulting company. Mr. Cowperthwaite noted that it was a security blogger, Brian Krebs, not the company, that first reported the breach.

“This is not how you handle a significant security breach, nor will it provide any sort of confidence that Home Depot can solve the problem going forward,” Mr. Cowperthwaite said.

Last week, before Home Depot confirmed the attack, customers in Georgia had already filed a class-action lawsuit against the retailer for failing to protect customers from fraud and not alerting them to the breach in a timely manner.

Home Depot said it would offer free identity protection and credit-monitoring services to any customer who had used a credit or debit card at any of its affected stores.

Since the breach at Home Depot first came to executives’ attention last Tuesday, the company said it had been working with two security companies, Symantec and FishNet Security, to investigate.

Home Depot is unlikely to be the last big retailer to suffer a breach of its cash register systems. Hackers have for some time been scanning merchants’ networks for ways to gain remote access, such as through outside contractors who have access to a computer network. Once they find that opening, they install so-called malware that is undetectable by antivirus products.

The Department of Homeland Security and the Secret Service recently estimated that more than 1,000 businesses in the United States had been infected with malware that is programmed to siphon payment card details from cash registers in stores.

They believed that many of these businesses did not even know they were sharing customers’ credit card information.

Besides Home Depot and Target, among the companies that have been hacked are U.P.S., Goodwill, P. F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus.

Security experts believe that the same group of criminals in Eastern Europe is behind the attacks, according to several people briefed on the results of forensics investigations who were not allowed to speak publicly because of nondisclosure agreements.

Buried in the malware used in the Home Depot attack were links to websites that reference the United States role in the conflict in Ukraine.

In each case, the entry point has differed, according to one law enforcement official. At Target, it was thought to be a Pennsylvania company that provided heating, air conditioning and refrigeration services to the retailer. The entry points for the other businesses are still unknown.

Studies have found that retailers, in particular, are unprepared for such attacks.

A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to quickly detect database attacks.

Only one-third of those experts said they did the kind of continuous monitoring needed to identify irregular activity in their databases, and 22 percent acknowledged that they did not scan at all.

After Home Depot confirmed the breach on Monday, a retail lobbying group in Washington said it was time the industry worked together to combat such threats.

“Any organization connected to the debit and credit card ecosystem faces constant and evolving threats,” said Sandy Kennedy, president of the Retail Industry Leaders Association.

“The public and private sector must continue to work together to improve debit and credit card security, identify threats and share information to best defend against cyberattacks.”

Previous
Amazon cuts struggling Fire phone’s price to 99 cents
Next
Enchanted Valley chalet pushed back from river bank as work continues in remote Olympic National Park locale

More in News

Crews work to remove metal siding on the north side of Field Arts & Events Hall on Thursday in Port Angeles. The siding is being removed so it can be replaced. (Dave Logan/for Peninsula Daily News)
Siding to be replaced

Crews work to remove metal siding on the north side of Field… Continue reading

Tsunami study provides advice

Results to be discussed on Jan. 20 at Field Hall

Chef Arran Stark speaks with attendees as they eat ratatouille — mixed roasted vegetables and roasted delicata squash — that he prepared in his cooking with vegetables class. (Elijah Sussman/Peninsula Daily News)
Nonprofit school is cooking at fairgrounds

Remaining lectures to cover how to prepare salmon and chicken

Port Townsend Main Street Program volunteers, from left, Amy Jordan, Gillian Amas and Sue Authur, and Main Street employees, Sasha Landes, on the ladder, and marketing director Eryn Smith, spend a rainy morning decorating the community Christmas tree at the Haller Fountain on Wednesday. The tree will be lit at 4 p.m. Saturday following Santa’s arrival by the Kiwanis choo choo train. (Steve Mullensky/for Peninsula Daily News)
Decoration preparation

Port Townsend Main Street Program volunteers, from left, Amy Jordan, Gillian Amas… Continue reading

Port Angeles approves balanced $200M budget

City investing in savings for capital projects

Olympic Medical Center Board President Ann Henninger, left, recognizes commissioner Jean Hordyk on Wednesday as she steps down after 30 years on the board. Hordyk, who was first elected in 1995, was honored during the meeting. (Paula Hunt/Peninsula Daily News)
OMC Commissioners to start recording meetings

Video, audio to be available online

Jefferson PUD plans to keep Sims Way project overhead

Cost significantly reduced in joint effort with port, city

Committee members sought for ‘For’ and ‘Against’ statements

The Clallam County commissioners are seeking county residents to… Continue reading

Christopher Thomsen, portraying Santa Claus, holds a corgi mix named Lizzie on Saturday at the Airport Garden Center in Port Angeles. All proceeds from the event were donated to the Peninsula Friends of Animals. (Dave Logan/for Peninsula Daily News)
Santa Paws

Christopher Thomsen, portraying Santa Claus, holds a corgi mix named Lizzie on… Continue reading

Peninsula lawmakers await budget

Gov. Ferguson to release supplemental plan this month

Clallam County looks to pass deficit budget

Agency sees about 7 percent rise over 2025 in expenditures

Officer testifies bullet lodged in car’s pillar

Witness says she heard gunfire at Port Angeles park