Home Depot Touts Data Encryption Measures Following Massive Breach

Home Depot lacked fully deployed data encryption, giving attackers access to a treasure trove of credit card data between April and September 2014 -- amounting a cache of up to 56 million unique credit and debit cards.

Security experts tell CRN that even with the data encryption fully deployed, the attackers targeted a weakness in the company's payment terminals that bypasses the data protection measures. The criminals used malware that accesses system memory where data is stored in cleartext for a short period of time. The data breach investigation uncovered unique, custom-built malware to evade detection, according to a statement issued by Home Depot Thursday.

"The malware had not been seen previously in other attacks, according to Home Depot’s security partners," the company said in its statement. "To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements."

[Related: Symantec, FishNet Security Part Of Home Depot Probe]

Sponsored post

Home Depot warned Wall Street investors that it was incurring about $62 million in breach-related expenses and would likely receive a reimbursement of $27 million from its data breach insurance coverage. The company said it would be difficult to predict additional expenses, which could include a payment to banks and processors for credit card fraud and card reissuance costs, litigation expenses and further remediation activities. The Home Depot breach of 56 million debit and credit cards eclipses the Target breach, which saw 40 million stolen cards. Target projected its breach expenses at $148 million.

Home Depot pointed out that it has completed the deployment of new encryption technology from Cupertino, Calif.-based Voltage Security in its U.S.-based stores. The company sells a proprietary platform that supports both format-preserving encryption to encrypt structured data such as credit card and Social Security numbers as well as tokenization, which replaces credit card numbers with a random string of numbers. The project started in January. Canadian stores will have the new encryption in place by early 2015, the company said.

Home Depot is also on track to EMV (Europay, MasterCard and Visa) chip-and PIN technology by the end of the year in its U.S. stores. Home Depot is rolling out 85,000 new EMV-enabled terminals. Target also has deployed EMV payment terminal technology.

The payment industry is slated to transition to the new chip-based credit cards, but experts tell CRN that the rollout is expected to take up to eight years. EMV will prevent fraudsters from using fraudulent cards at Home Depot and Target stores, but it won't eliminate card-not-present transactions, such as those at Amazon and other online retailers, said Ruston Mills, chief innovation officer at Atlanta-based Bluefin Payment Systems, a solution provider that specializes in point-to-point encrypted payment systems.

"Using EMV, fraudsters will be able to attack and possess the same credit card data, but they won't be able to duplicate a card; instead, they will be able to conduct fraudulent online transactions," Miles said. "Online fraud will go up significantly."

The major credit card brands have set an October 2015 target for merchants to get new EMV-enabled terminals in place. Merchants that meet the deadline would be able to shift liability for fraud that takes place after the EMV-enabled terminals are fully functional.

The latest string of retail breaches appear massive in scale, but card-issuing banks and the credit card brands themselves calculate that credit card fraud is holding at acceptable levels, said Kevin Grieve, a payment industry veteran and partner in consulting firm Strategy&, who leads the firm’s payments business. In addition to expenses in upgrading equipment and software, merchants struggle with frustrated customers and brand reputation damage following a breach, Miles said.

"You'll see top-tier merchants more likely to get on board and move the ball with EMV adoption, but there are millions of small-business merchants and it's unclear that they will have same level of motivation to move as quickly," Miles said. "Smaller merchants will look for more turnkey solutions to get benefits out of the box in combination with a merchant acquirer or processor."