Home Depot Inc. is investigating “unusual activity” and working with banking partners and law enforcement, the firm told me Tuesday.
The confirmation comes after Security researcher Brian Krebs reported a credit card hacker attack on the firm. According to a post on Krebs’ website, the theft is similar to the massive hack that hit Target stories last year, and might include thousands of Home Depot locations.
In a subsequent Tweet, Krebs said he was “hearing” that the hackers had access to Home Depot systems from “May ’14-present. If true, Home Depot breach could be much larger than Target.”
“At this point, I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Home Depot spokeswoman Paula Drake said in an email to me. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further. We will provide further information as soon as possible.”
Boris Gorin, head of security engineering, FireLayers, a cloud app control provider, said that Home Depot uses point of sale terminals similar to those used by Target last year. He offered some interesting speculation into a possible attack vector.
“While I do not have direct information on the breach, one could definitely speculate it is related to PoS systems lack of security. Just recently the Secret Service issued an advisory about PoS malware called Backoff (https://www.us-cert.gov/ncas/alerts/TA14-212A) which is known to exfiltrate consumer payment data,” Gorin said.
“Unless hardened with 3rd party solutions, those systems are susceptible to the same attacks that were carried out at Target earlier this year using memory scraping software that reads the data off the magnetic stripe of the card while it is being processed in the POS memory. Earlier this year, a security researcher who had bought a used PoS machine on eBay has found “eye-opening mix of default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system (click for story). Malware targeting POS, such as one used at Target remains readily available. After a quick inquiry I was able to find several Russian sites where one could buy such software e.g. for VeriFone POS for 700$ or other ranging between $2,500 to $5,000.”
Krebs said the hacker who posted a link bragging about the heist and offering the stolen data for sale called the files “American Sanctions” and “European Sanctions,” an allusion to the ongoing geopolitical fight over the situation in the Ukraine and the recent imposition of sanctions by Europe and the U.S. against Russia.
While the alleged criminal sharing the stolen data alludes to economic sanctions against Russia, it’s quite possible that’s more hacker humor than political statement.