Home Depot probes ‘unusual activity’ — expert says hack might be bigger than Target

Click to visit KrebsOnSecurity.com
Click to visit KrebsOnSecurity.com

Home Depot Inc. is investigating “unusual activity” and working with banking partners and law enforcement, the firm told me Tuesday.

The confirmation comes after Security researcher Brian Krebs reported a credit card hacker attack on the firm. According to a post on Krebs’ website, the theft is similar to the massive hack that hit Target stories last year, and might include thousands of Home Depot locations.

In a subsequent Tweet, Krebs said he was “hearing” that the hackers had access to Home Depot systems from “May ’14-present. If true, Home Depot breach could be much larger than Target.”

Target has 1,795 stores in the U.S, and another 130 in Canada. Home Depot has 2,200 stores in the U.S., Canada, and Mexico.

“At this point, I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Home Depot spokeswoman Paula Drake said in an email to me. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers.  If we confirm that a breach has occurred, we will make sure customers are notified immediately.  Right now, for security reasons, it would be inappropriate for us to speculate further. We will provide further information as soon as possible.”

Boris Gorin, head of security engineering, FireLayers, a cloud app control provider, said that Home Depot uses point of sale terminals similar to those used by Target last year. He offered some interesting speculation into a possible attack vector.

“While I do not have direct information on the breach, one could definitely speculate it is related to PoS systems lack of security. Just recently the Secret Service issued an advisory about PoS malware called Backoff (https://www.us-cert.gov/ncas/alerts/TA14-212A) which is known to exfiltrate consumer payment data,” Gorin said.

“Unless hardened with 3rd party solutions, those systems are susceptible to the same attacks that were carried out at Target earlier this year using memory scraping software that reads the data off the magnetic stripe of the card while it is being processed in the POS memory. Earlier this year, a security researcher who had bought a used PoS machine on eBay has found “eye-opening mix of default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system (click for story). Malware targeting POS, such as one used at Target remains readily available. After a quick inquiry I was able to find several Russian sites where one could buy such software e.g. for VeriFone POS for 700$ or other ranging between $2,500 to $5,000.” 

Krebs said the hacker who posted a link bragging about the heist and offering the stolen data for sale called the files “American Sanctions” and “European Sanctions,” an allusion to the ongoing geopolitical fight over the situation in the Ukraine and the recent imposition of sanctions by Europe and the U.S. against Russia.

While the alleged criminal sharing the stolen data alludes to economic sanctions against Russia, it’s quite possible that’s more hacker humor than political statement.

Sign up for Bob Sullivan’s free email newsletter. 

About Bob Sullivan 1334 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.