Home Depot today finally confirmed that its payment systems have been breached, but a number of crucial questions remain unanswered by the giant home improvement retailer.
In a statement released late this afternoon, Home Depot said customers using payment cards at its U.S. and Canada locations, more than 2,200 in the U.S. alone, could be impacted. Online shoppers have been spared, Home Depot said in its statement.
“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” the statement said.
This breach has drawn comparisons to the massive breach of Target retailers during the 2013 holiday shopping season. Target, too, at first claimed no PIN data was compromised, only to reverse course as the investigation progressed, revealing that encrypted PIN numbers were indeed stolen.
Target, meanwhile, was breached only for three weeks, while criminals were on Home Depot’s networks stealing card numbers from its point-of-sale systems from April to shortly before news of a possible breach was reported by Krebs on Security last Tuesday.
Home Depot said it is taking steps to remove the malware from its systems and secure customer data. Consumers impacted by the breach will have free credit monitoring and other identity protection services, Home Depot said.
In an email to Threatpost, spokesperson Paula Drake would not elaborate further on whether customer personal information was also compromised – as in the Target breach – or whether PIN numbers are encrypted.
“The release has all the info we are sharing at this point,” Drake said. “We continue to work around the clock with leading IT security firms, our banking partners and the Secret Service to rapidly gather facts and provide information to customers.”
Home Depot announced last week that it had hired FishNet Security and Symantec to handle the forensics investigation. Banking partners and the U.S. Secret Service have also been brought in starting last Tuesday when those same partners began reporting the possibility of a breach.
Speculation has it that Home Depot may have been breached by the same gang behind the Target breach, using a variant of the BlackPOS point-of-sale malware. Like most PoS malware, BlackPOS drains credit card numbers from memory before they’re encrypted. BlackPOS is only one of many PoS malware families; Backoff is the latest and likely most notorious. The Secret Service recently issued an advisory warning of Backoff, and reported that more than 1,000 businesses had likely been compromised.
In the meantime, Krebs on Security last week published additional research culled from the underground forum hosting the reportedly stolen credit cards taken from Home Depot. Krebs said the rescator[.]cc site, the same forum that sold cards stolen from Target, indexed the purported Home Depot numbers by city, state, and ZIP code and a comparison of those ZIP codes against a commercial marketing list showing locations and ZIP codes of Home Depot retail locations in the U.S. overlaps almost 100 percent.
Home Depot also today said it would accelerate its chip-and-pin rollout, wrapping up the implementation by the end of the year, ahead of the October 2015 deadline imposed by the payment card leaders.