Update: Home Depot Breach InvestigationRetailer Working with Banks, Authorities on Probe
(This story has been updated.)
See Also: Secure Access in a Hybrid IT World
Home Depot has confirmed it is working with financial institutions and law enforcement to investigate a possible payment card breach.
"At this point, I can confirm that we're looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," says Paula Drake, a spokesperson for the company.
"Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers," Drake says. "If we confirm that a breach has occurred, we will make sure customers are notified immediately."
Drake says it would be inappropriate to speculate further about the incident for security reasons, but Home Depot will provide further information as soon as possible.
Likewise, in a "Message to our customers about news reports of a possible payment data breach" posted Sept. 3, Home Depot says it's "working hard to get you the information you need as quickly as possible and will continue to provide updates as we learn more." In the interim, it recommends customers monitor their payment card accounts and contact card issuers if they notice any unusual activity. "If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers," Home Depot says.
Monitoring for Fraud
One executive with a leading card issuer on the West Coast says most banking institutions are just now reviewing logs for suspicious activity. News of a suspected breach at Home Depot only surfaced the morning of Sept. 2, the executive says.
"As with the other recent breaches, we have not seen a lot of fraudulent activity," this executive adds.
Security blogger Brian Krebs first reported news of a possible breach at the home improvement retailer. He suggests that the same hackers who stole card data from Target Corp. and other retailers also attacked Home Depot. Krebs makes that connection because cards linked to previous Home Depot purchases have cropped up in the same underground forum, "rescator," where cards compromised at other retailers were sold.
"It appears these new batch of cards are selling for $50 to $100 each, though we believe those prices are likely to come down faster than in the past, as the window of opportunity to profit from stolen cards has shrunk," says Daniel Ingevaldson, CTO of fraud prevention firm Easy Solutions. "This has happened because financial institutions have become smarter about dealing with these attacks."
Seth Ruden, senior fraud consultant at payments software and services provider ACI Worldwide, says early indicators suggest the suspected Home Dept breach dates back to at least April. That's a five-month window, compared with the three-week breach window in the Target attack. And that means the Home Depot breach, if confirmed, could be much bigger than the Target incident, he contends. Home Depot has more than 2,200 stores in the United States, Canada and Mexico.
Several industry sources, including Krebs, have suggested the same crime ring that attacked Target, Sally Beauty and P.F. Chang's also targeted Home Depot. They also contend that the same malware, BlackPOS, was used to penetrate those merchants' networks and ultimately compromise their point-of-sale systems.
But Andrew Komarov, CEO of cyber-intelligence firm Intelcrawler, says the industry should be wary of hurried conclusions about how this attack, if it's confirmed, might be linked to other recent breaches. The alleged card numbers that are apparently cropping up in underground forums may have been compromised in earlier attacks, rather than a new attack on Home Depot, he also notes.
Executive Editor Tracy Kitten and Managing Editor Mathew J. Schwartz contributed to this story.