Home Depot just beat another major retailer -- but not in a way the company would like.
According to Home Depot, an investigation has revealed that the recent data breach put some 56 million credit and debit cards at risk, a number that far surpasses the roughly 40 million cards exposed in last year's attack on Target.
"Fifty-six million cards may not be as big as the huge Heartland Payment Systems breach, but it eclipses both the TJX and Target breaches, and that’s going to cost Home Depot a lot of money," says Trey Ford, global security strategist at Rapid7. "We can expect other large global retailers, such as Wal-Mart, Carrefour, Tesco, and Metro AG, will be paying close attention as the investigation continues."
Ford says this is why big-box retailers are fat targets for sophisticated attackers. "They are able to invest time in researching their targets to find a way into the network. Once they’re in, they stay quiet and fly unobserved under the radar, potentially for months at a time," he says. "It’s really hard for organizations to detect them in many cases because they can be using stolen account details and look like a bona fide user. It’s well worth the planning and patience involved for the attacker when the potential pay day is this significant."
The criminals used custom-built malware to evade detection that Home Depot's security partners have not seen in previous breaches. The malware is believed to have been present between April and September.
One common thread in a number of breaches is a lack of configuration monitoring on point-of-sale terminals, says Steven Ransom-Jones, senior consultant at Neohapsis. "The Payment Card Industry requires the use of file integrity monitoring to detect unauthorized changes to servers that run in the cardholder processing environment," Ransom-Jones says. "The intent of this control is to stabilize a secure processing environment and identify the effects of changes, whether it is by malware or direct intervention (either by a hacker or an administrator circumventing a change management process).
"As payment terminals are dedicated to a single purpose… changes on these devices should be infrequent and managed through an appropriate management process and testing cycle. In this environment, integrity monitoring would be an extremely effective control: any change should be considered as suspicious and investigated immediately."
To protect data until the malware was eliminated, the Home Depot terminals identified as infected were taken out of service. The hackers' method of entry has been closed off, and the company has rolled out enhanced encryption of payment data to all US stores, according to Home Depot. Roll out of encryption to Canadian stores will be completed by early 2015. Canadian stores are already enabled with EMV Chip and PIN technology.
There is no evidence that customers' PINs were compromised in the attack, according to the company.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," says Frank Blake, chairman and CEO, in a statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."