On September 8th, 2014, Home Depot announced that its customers' debit and credit card information had been compromised during a data breach.
Customers who had used the self-checkout systems from April through August of that year were victims of this breach. In the announcement, Home Depot apologized for the breach, offered identity theft and credit monitoring services to affected customers, and promised that their Incident Response Team was doing its best to limit the damage of the breach. Approximately 56 million credit and debit card information was stolen along with 53 million email addresses. At the time, Home Depot's data breach was the largest with the most known data stolen. It would later be found that Yahoo!'s 2013 data breach was even larger, affecting more than 1 billion accounts.
Recently, it was estimated that the total expenses of this data breach has cost Home Depot $263 million and expenses are still piling up in settlements from individuals and card issuers:
Much like the Target data breach, Home Depot's data breach occurred through the point of sale (POS) systems. According to an in-depth case study, the hackers were able to steal a third-party vendor's credentials and used this as a way to enter the system. The hackers were then able to use the zero-day vulnerability in Windows to pivot directly into the Home Depot corporate network. Once inside the network, the hackers were able to install a custom memory scraping malware. Memory scraping malware is able to scan the POS systems to collect all sensitive data that is entered in. For example, when you swipe your payment card, the malware will collect all of your card information to later be gathered by the hackers.
This malware was installed on over 7,500 self-checkout POS terminals, evading antivirus software and remaining undetected for months. The gathered credit and debit card information was sold, and the emails gathered were used in phishing campaigns.
The Home Depot data breach was not discovered by the company itself, but through multiple banks that found tens of thousands of their customers' cards had shown up for sale on an underground cybercrime shop. It is believed that the same group of Russian and Ukrainian hackers who were responsible for the Target data breach are also responsible for Home Depot's data breach. According to Krebs, this data breach wasn't just about the money and recognition, but also out of retribution:
"In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labeled 'European Sanctions.'"
After the banks discovered the cards being sold on the cybercrime shop, they researched and found that all of the cards had recently been used at a Home Depot. The banks notified Home Depot of the possible data breach. Home Depot immediately began a full investigation on September 2, 2014.
A story about a massive corporate data breach doesn't have an obvious silver lining; however, the Home Depot data breach acted as a wakeup call to individuals and companies across the country. Companies started taking great strides in providing better cybersecurity for their customers' information. Chip-in-card readers have started to become standard in most major stores as well as other alternative payment methods, like Apple Pay.
Individuals have also started taking extra precautions with their personal information by enrolling in identity theft protection programs. If you are one of the millions who have been affected by a data breach, or if you want to protect yourself, check out our top rated identity theft protection companies. In our next article, we will discuss how chip-in-cards work and other alternative payments and why you should use them.