Home Depot has admitted that 56 million unique payment cards were affected by the cyber attack.
In a statement, Home Depot confirmed that it has eradicated the malware and completed a payment security project to provide enhanced encryption of payment data on its Point of Sale terminals from next year.
In a two week investigation, it said that its own IT security team has been working around the clock with leading IT security firms, its banking partners and the Secret Service to rapidly gather facts, resolve the problem and provide information to customers.
The key findings were that criminals used unique, custom-built malware to evade detection that had not been seen previously in other attacks, according to Home Depot’s security partners, and that the malware is believed to have been present between April and September 2014.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” it said. “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all US stores.”
Chris McIntosh, CEO of ViaSat UK, said: “The news that over one sixth of the United States’ population have had their credit card details stolen should be all the proof needed that cyber attacks aren’t just something that happens to the occasional unlucky or gullible individual.
“While ultimately the malware that infected Home Depot is to blame, the fact that the threat remained undetected for five months shows that a more robust approach is needed. The fact that the in-store payment system failed to do this is unacceptable when fraud and cyber attacks are increasing in sophistication by the minute.”
The company’s new payment security protection is provided by Voltage Security, and locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.
Asked if this could have a lasting impact upon Home Depot, Eddy Willems, security evangelist for G Data, told IT Security Guru that he thought it would.
“It is not a good for the image but for the board, and this will always harm the image of the company, and I think we will also see reactions from CSO or CEO to this [as there was with Target],” he said.
“This not the first time, and will not be the last time. The problem is that everybody is giving too many personal details to companies; and how can you stop something like that? It should be regulated or centralised in a different way, so that your email address or only a specific number is shared; but not everything as every company can be targeted!”