Home Depot said Thursday that its network was breached by hackers using stolen credentials from a third-party vendor to not only make off with 56 million payment card numbers, but also 53 million email addresses.
The giant retailer warned affected customers to be on the lookout for phishing scams that could put passwords and other personal information at risk.
Home Depot said that the stolen vendor credentials did not give the hackers direct access to point-of-sale systems. More likely, the hackers were able to gain legitimate access to the Home Depot network through the vendor account and then pivot laterally until landing on the PoS system.
“The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada,” Home Depot said in a statement.
The findings come more than two months after the data breach was reported on Sept. 2. Home Depot immediately brought in the Secret Service and banking partners to help with the investigation, as well as security companies FishNet and Symantec.
The Home Depot breach followed a similar pattern to Target, which first disclosed that it had lost 40 million payment cards in a breach during the 2013 holiday shopping season. Shortly thereafter, Target said it had lost personal information including email addresses belonging to 70 million people. One stark difference between the two attacks is that the Target breach happened over the course of three weeks; the Home Depot hackers reportedly had access to the retailer’s network from April to September.
Speculation has it that the custom malware used in the breach could have been a variant of the Backoff point-of-sale malware. Backoff has been blamed for more than 1,000 breaches the U.S. alone, according to an advisory from the Secret Service. Point-of-sale malware is able to sniff payment card data from memory as it’s swiped at a terminal and before it’s encrypted and sent to a payment processor.
A September report from web security company Invincea analyzing Backoff specifically said that it is “not a particularly sophisticated” Windows Trojan and that it should have been detected by available antivirus and intrusion detection signatures. The fact that they weren’t, Invincea said, means that retailers are not running antivirus protection, or are lax in updating the servers running point-of-sale software.
Home Depot’s determination that the malware was custom-made lends credence that a variant of Backoff could be to blame.
The retailer also said that user passwords and other personal information were not stolen, and neither were debit card PINs.
“As previously disclosed, the malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software, according to Home Depot’s security partners,” Home Depot said in its statement. “As the company announced on September 18, the hackers’ method of entry has been closed off and the malware has been eliminated from the company’s systems.”
Home Depot announced in mid-September it accelerated an “enhanced encryption” rollout, completing it for all of its U.S. stores on Sept. 13. Canadian locations will have the same rollout completed early next year, Home Depot said. The company also said it will implement chip-and-PIN payment card systems at all of its locations ahead of an October 2015 industry deadline.