Home Depot Confirms Breach, Remains Mum On Details

Home Depot confirmed a credit card breach after investigators pinpointed malware infections on its payment terminals indicating that the security lapse may have started in April.

In a statement released Monday, the home improvement giant said the breach may have grown to encompass all 2,200 stores in the U.S. and Canada. Shoppers at Home Depot stores in Mexico and sales on its website were not impacted by the security lapse, the company said.

’While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,’ the company said in its statement.

[Related: Home Depot Data Breach Probe Likely Narrowly Focused, Experts Say]

Home Depot retained security teams from Symantec and FishNet Security to identify the scope of the lapse. The report, which will be given to credit card brands and impacted issuing banks, will include a set of recommendations to bolster security. Meanwhile, Home Depot said it would offer free credit monitoring and other identity protection services to its affected customers.

Home Depot is the latest in a long line of data breaches that have rocked the retail industry since retail giant Target confirmed its breach in January. A security lapse involving similar memory-scraping malware on its payment terminals resulted in the exposure of about 40 million credit and debit cards. The retailer said the cost associated with the data breach is projected to reach $148 million.

Other security breaches at Neiman Marcus, P.F. Chang's China Bistro and Michael's Stores have put attention on deployments of POS systems that support chip-and-PIN payments designed to reduce the risk of fraud at brick-and-mortar stores.

Retailers deal with a variety of issues from physical loss prevention to store clerks giving credit to their best friends or flat-out stealing from the till, said Tom Arnold, co-founder and principal at San Jose, Calif.-based PSC, which specializes in payment industry security incident investigations and compliance assessments.

"We're not seeing more breaches; this is much of the same and there's not enough information to say that there's some greater sort of operation aimed at taking down prominent retailers," Arnold told CRN. "While there are large-scale compromises of data like this where the stolen information is used to create fraudulent cards online, retailers have to deal with a variety of loss risks."

NEXT: Retail POS Breaches Had Been Trending Downward

The annual Verizon Data Breach Investigations Report has been tracking a decline in point-of-sale system breaches at brick-and-mortar stores despite a long history of massive breaches beginning with the TJX Corp. breach in 2007. Weak Wi-Fi enabled attackers to gain access to its systems, resulting in the theft of more than 45 million credit and debit cards. The breach highlighted the Payment Card Industry Data Security Standards, or PCI-DSS, the payment industry's self-regulating guidelines for merchants.

Payment processors also are to blame for lapses. In 2009, attackers infiltrated the network at Heartland Payment Systems, resulting in the theft of more than 100 million credit and debit cards. The company pledged to bolster point-to-point encryption. More recently, a yet-unnamed payment processor was blamed for the credit card breach at Goodwill Stores in the U.S. and Canada.

Larger retailers may be ensnared by the growing complexity of their interconnected IT systems, said Kenneth Leeser, president of Needham, Mass.-based risk management consultancy and reseller Kaliber Data Security. Complexity often causes vulnerabilities and configuration weaknesses that can be an avenue of attack for remote criminals, Leeser said.

"It's still unclear what is happening at Home Depot, but the types of automated systems that are put in place by large retailers may be providing that initial entry point for criminals that are savvy enough to carry out a multistaged attack," Leeser said.

Despite segmenting its payment systems from other network resources, the attackers behind the Target breach reportedly used stolen account credentials from a Target contractor specializing in heating and ventilation. The initial access was said to be a server that processed invoices for the retailer's business partners.

Many of the data breaches have driven interest in network monitoring tools and stronger antimalware technologies that extend beyond traditional antivirus and intrusion detection and prevention systems, said Kevin Willette, owner of Fridley, Minn.-based solution provider Verus.

"The message is getting out that all businesses are potential targets, not just the largest ones," Willette said. "Malware infections will continue and the only way to protect your business is to increase visibility and safeguard the assets that are most critical to your operations."

PUBLISHED SEPT. 9, 2014