Home Depot revealed this week that hackers gained access to the retailer’s payment system via a stolen user name and password from a third-party vendor, in a data breach that exposed about 56 million payments and 53 million email addresses.
With the 56 million payment cards, Home Depot’s breach already ranked as the largest retail breach of payment cards in history. With the stolen email addresses, the effect is deepened, and the company warned customers against falling for phishing email scams, designed to trick recipients into revealing personal or financial information.
After stealing the undisclosed vendor’s user name and password, hackers were able to crack the perimeter of Home Depot’s security network, but not the point-of-sale devices. The wrongdoers were then able to gain “elevated rights” that let them further access the network and deploy “unique, custom-built malware” on Home Depot’s self-checkout systems in the US and Canada.
Home Depot’s security investigators noted this malware has not been observed in any other attacks and was specifically designed to avoid detection by antivirus software. The breach has since been closed and the malware eliminated from Home Depot’s systems.
Added encryption has been added to all payment data in Home Depot stores in the US.
“The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable and virtually useless to hackers,” stated the company.
Home Depot will also introduce chip-and-pin technology in US stores, a feature that has been available in Canada since 2011.
Home Depot expects to pay costs related to the breach including liabilities to payment card networks for reimbursements of payment card fraud and card reissuance costs; liabilities related to the company’s private label credit card fraud and card reissuance; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities. Two class action lawsuits have already been filed against the company and the retailer is offering credit monitoring services to all affected customers.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
