Home Depot Investigates Possible Credit Card Breach

Home Depot is investigating a potential intrusion into its payment systems, confirming it is working with the Secret Service to identify whether a new cache of stolen credit card data discovered on a hacking forum could be linked to a credit card breach at its stores.

The latest security breach was first reported by Brian Krebs, an investigative reporter who reports on credit card theft and security threats at Krebs on Security. "Multiple banks" confirmed that Home Depot may be the source of a massive breach that could span all 2,200 of its stores, Krebs reported today.

A Home Depot spokesperson did not return a request for comment from CRN. A spokesperson told Krebs that the company is working with law enforcement to investigate suspicious activity.

[Related: POS Resellers To Clients: You're Just As Vulnerable As The Big Retailers]

"I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,’ a spokesperson told Krebs in a prepared statement. ’Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further -- but we will provide further information as soon as possible.’

Its potentially another in a long line of high-profile retail data breaches anchored by the massive credit card breach at retail giant Target at the beginning of the holiday shopping season last November.

Payment system lapses cascaded to other retailers, including Neiman Marcus, Michaels Stores and PF Changs China Bistro along with the non-profit Goodwill Stores. There was also a recent lapse impacting 51 UPS Stores. The incidents are being investigated by the U.S. Secret Service and have prompted an advisory from the Department of Homeland Security, which advises merchants to review the security of their payment systems. DHS specifically warns about the presence of memory-scraping malware called BlackPOS, which is said to have infected Target's systems. Backoff is another Trojan being identified on some payment systems.

The retail breaches prompt some business owners to review their security postures, but many small and midsize business owners don't believe their business is at risk, solution providers told CRN.

Far too many businesses have poorly enforced security policies or lack policies and controls, said John Oetinger, a sales executive at Mont.-based solution provider Corporate Technology Group. Security standards may have been met at one time or another, but organizations need to continually review their security posture, he said.

"Everyone has a certain baseline security metrics that they feel they need to meet, but many organizations see security as a set-it and forget-it function," Oetinger said. "This is a trap that a lot of people fall into because security is an ongoing process that has to be continually reevaluated."

Digital investigators say the malware used to steal credit card data is not always detected by fully updated antivirus engines. Fully patched computers are also not immune to attacks, they say, because the criminals behind the attacks often use stolen account credentials or identify a security weakness in remote access tools used to maintain payment terminals.

PUBLISHED SEPT. 2, 2014