Last night security blogger Brian Krebs reported that US retailer Home Depot had suffered a major breach of credit and debit card data that may stretch back to late April or early May of this year.
Alerted by banks, after a massive new batch of stolen credit and debit cards went on sale on the dark web, a Home Depot spokesperson Paula Drake confirmed that the company is investigating. Krebs said that there are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others.
Krebs said that it is not clear at this time how many stores may have been impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.
Michael Sutton, VP of research, Zscaler:
“Home Depot has joined the not-so-exclusive data breach club. This latest credit card breach a
ppears to have followed the same pattern as previous breaches at Target, Neiman Marcus, PF Chang’s and a host of others where attackers first gained access to the corporate network and then infected the point of sale terminals with RAM scraping malware capable of gathering magnetic stripe data from cards recently used at the terminal. While the full scope of the breach remains to be seen, given the number of Home Depot stores and the volume of daily transitions, it is possible that this will rival the Target breach in terms of impact.
“It is also concerning that in virtually all of the breaches that we’ve seen over the past year, the attack is almost always uncovered not by the retailer, but by payment processors or law enforcement officials after detecting anomalous transaction patterns and generally after card data has been stolen for weeks or months.
“Beyond implementing chip and PIN technology, retailers have a long way to go when it comes to implementing appropriate detective security controls that would mitigate the damage from these attacks by identifying them as quickly as possible should they occur. It is concerning that gigabytes of credit card data can be siphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to.”
Ken Westin, security analyst at Tripwire:
“It’s safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic. These breaches are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.
“Organized criminal syndicates are actively targeting U.S. retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected.
“Pretty much all of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity. They then map the activity back to specific retailers as the common point of origin.”
Philip Lieberman, CEO of Lieberman Software:
“No surprise that this would happen. We were in contact with them many years ago trying to convince them to implement automation technology to rotate their passwords, but they chose to implement a less expensive and inferior solution from an off-shore company. The rest of the targets in the listed article by Krebs purchased the same ineffective technology from the same off-shore company with similar results.”
Authentify President Peter Tapling:
“The number of compromised cards could rival the Target breach if indeed this breach affected all 2,200 Home Depot stores and the breach goes back to April 2014. The ‘American Sanctions’ name for the card batches for sale are an interesting twist. Is this just a group that sympathizes with Russia? Or is it a state actor involved directly?
“Examples of such a ‘sign’ could be that a similar attack was used to exfiltrate the data or that an inordinate number of bank customers have been questioning charges on cards which had recently been used at Home Depot stores. Or it could be as simple as the sellers of the card batches are the same sellers for the card batches from the other brea
ches. Notices of these types of attacks will be a weekly if not daily occurrence so long as bank card information is of value to the fraudsters. To those consumers who are not regularly checking their credit card activity, this should be another wake up call to do so.”
Kyle Kennedy, CTO, STEALTHbits Technologies:
How many more retail breaches need to occur industry wide before consumers rise up and start demanding proactive protection surrounding their personal information prior to the purchasing of goods and services from a company.
s it time for a third party service provider focused solely on financial transactions and securing the consumers personal information the answer for the consumer AND the retailer? Or is the risk of personal information potentially being breached so accepted by consumers that change isn’t possible? I refuse as a consumer and a security executive that change isn’t possible around one of the most fundamental components of business; the buying of goods and services via credit cards.
The technology is available for both the consumer and the retailer today to increase security exponentially and reduce the threat surface available to attackers. When will the collective light bulb turn on for industries as it does when a retailer and or individual consumer is breached? Perhaps we are afraid that the increase in security will somehow impact our ease of use commerce patterns negatively – I see it quite the opposite.
Patrick Thomas, security consultant at Neohapsis:
“Historically,
when organisations learn of their own compromise by reports from unrelated third parties it means that the intrusion has been ongoing for months. While traditional emphasis on breach prevention remains important, mature organisations are also placing significant resources into defence-in-depth approaches that frustrate attacker’s ability to move around the network to exfiltrate data. Each time an attacker is forced to do something unusual to overcome these internal defences, it provides an additional opportunity for monitoring systems to identify the intrusion.
“There’s little that consumers can do directly to protect themselves from these sort of compromises. Certainly all consumers should keep a close eye on their credit card statements and credit report, but they can also vote with their dollars and reward companies that publicly demonstrate a commitment to security.”
Steve Hultquist, chief evangelist for RedSeal Networks:
“Retail breaches continue to demonstrate the sophistication of the attackers and the reward they receive being worth the investment they make in their attacks. These investments mean that enterprises must likewise increase their defensive investments, especially in the analysis of potential attack vectors. Simply reacting while attacks are in progress is insufficient.
“Each enterprise must know its network security architecture and have automated analysis to ensure that the entire end-to-end network complies with its policies. Not doing so is effectively agreeing to be attacked in unknown ways and having to deal with the impacts of a breach.”
Eric Chiu, president & co-founder at HyTrust:
“The potential breach at Home Depot feels like déjà vu in the wake of Target’s massive breach last year. The reported extent and timeline dating back to April and May of this year would indicate a similar type of incident to Target where attackers were able to get onto the network to siphon off large amounts of data without being detected.
“This should be another major wake up call to every company that insider threats are the main cause of breaches, especially given the connected world we live in and the concentrated data center environments that are a gold mine for attackers. These breaches are no longer a security or IT issue, but rather a business issue given the potential of massive losses and brand damage.”
Russ Spitler, VP of product strategy for AlienVault:
“We are seeing a stark reality of the economic incentives the hackers are exploiting. Major retail chains are easy targets because they have not invested in cyber security. Banks are no longer easy targets, they have fortified themselves and even built protections for their consumers, but point of sale systems originally designed and built years ago are easy places to grab a foothold.
“Hackers are focusing on retailers because ‘that is where the money is’ – it is the easiest target with the greatest reward. These criminals are doing the cost analysis of the investment they need to make to breach a target and what they are going to get in return. We have just seen reports of incredibly sophisticated attacks against major wall street banks – customised malware and long campaigns – if that is what it takes to break into a bank, no wonder the bigger breaches are focusing on the less sophisticated targets with just as large an economic potential.”
Tom Cross, Director of research, Lancope:
“Unfortunately,
we expect to continue to hear stories like this one, as attacks on retailers have proven to be an effective means for computer criminals to make money. Every organisation the processes credit card numbers with point of sale terminals that are connected to computer networks should assume that their network has already been targeted or will be targeted in the near future.
“Organisations that handle payment cards need to look at their exposure to attack, as compliance with industry standards does not necessarily equate with security. They also need to start looking inside of their networks to see if they can detect compromises already in progress. Many organisations lack the tools and processes needed to detect attacks once they’ve bypassed the perimeter. That’s an area that needs greater emphasis from information security programs.”
Stephen Coty, chief security evangelist for Alert Logic:
“Home Depot is yet another victim of credit card theft this year. They are in good company with Target, Michael’s, Specs, Neiman Marcus, P.F. Changs, and White Lodge. This trend shows us that retailers are having a tough year keeping ahead of their malicious adversaries.
“To detect this type of attack in your environment you really have to rely on your defence in depth strategy and especially your log management and NetFlow solutions: log management will allow you to find unknown services being started on workstations that might be infected and NetFlow will allow you to find large payloads of data going to countries that you may have on a watch list or don’t conduct business in. So there are ways you can prevent more of these attacks from happening in the future. You just need to make the investment into the proper technology, people and process.”