Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Home Depot reveals more details on breach, 56M credit cards at risk

Home Depot reveals more details on breach, 56M credit cards at risk
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 18, 2014, 08:19 PM
More information on the breach of home improvement retailer Home Depot was announced today. While the company still says that only stores in North America are affected by the breach, it now adds that the information from 56 million unique payment cards was at risk. The company provided further insight into the steps taken since the breach, including adding stronger encryption, after the malware from terminals was completely removed.

In contrast to the largest malware breach of 2013, Home Depot ended up with significantly more consumers with exposed information than Target did. Target saw more than 40 million payment cards vulnerable during the problematic breach it faced, but the length of Home Depot's vulnerability was much longer. Whereas Target's intrusion was over a three-week period, Home Depot was affected from April to September. The hardware and remodeling chain now holds the title for largest card breach for a retailer in history.

Additional information included some details on the type of malware that was used in the event. The company has said that the malware was a custom-built job that evaded traditional detection. Those helping Home Depot research the breach say that it was a malware that had yet to be seen in such an attack. This falls in line with information security analyst Brian Krebs and Trend Micro shared after the breach was confirmed.

Home Depot says that malware is eliminated, with the company going as far as removing any terminals that were identified as being affected. It continues to say there is no evidence PIN numbers were compromised during the breach.

"The hackers' method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all US stores," said the company in a statement to investors. Previously, Home Depot also said that it would be rolling out the use of EMV chip-and-pin technology before the end of the year.

Along with the added encryption, 85,000 new terminals are being deployed. As for the encryption, the Home Depot says that the technology from Voltage Security was "tested and validated by two independent IT security firms."

The project was started January 2014, with completion being reached in the United States on September 13. Roll out in Canada is scheduled to be complete during the first part of 2015. Information on how the new encryption interacted with the infected terminals isn't outlined, nor was how it was tested and verified.

If Home Depot started rolling out the encryption before the malware was completely eliminated, then there could be potential for further issues. Without knowing more about the how the timeline played out or how secure the encryption is, it's hard to say that there's no possibility of future customer exposure. Bank sources tell Brian Krebs that compromised cards were still being reported on September 7, five days after Home Depot stated it was looking into activity.

As if to ease the minds of investors, the statement from Home Depot added that the company was on schedule to hit its planned sales figures for the third quarter. However, the forecast doesn't include costs related to the breach, since the company is unable to estimate the total liability it may be responsible for.
( Last edited by NewsPoster; Sep 19, 2014 at 06:55 AM. )
Junior Member
Join Date: Nov 2011
Status: Offline
Reply With Quote
Sep 19, 2014, 12:45 PM
No doubt ApplePay will turn out to have flaws to, but any system that transmits no personally identifiable information (PII) to the merchant has to be an improvement over a system that facilitates the mass harvesting of name, card number, address, and last four digits of the cardholder's Social Security Number --- thus giving the harvesters' customers the quadfecta for getting new PINs for cash withdrawals.
Senior User
Join Date: Jan 2008
Status: Offline
Reply With Quote
Sep 19, 2014, 01:05 PM
56 million...holy cow! How many of your transactions are NOT at risk?!!
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Privacy Policy
All times are GMT -4. The time now is 04:38 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,