Home Depot has confirmed its payment systems have been hacked at nearly 2,200 stores in US and Canada. The stealing-code used for the breach could reportedly point at a Russian connection in the case.
The US’s fourth-largest retailer announced on Monday it
investigates five months of transactions now that the
cyber-attack was apparent. While the company officials do not
specify the possible scale of the damage done, experts believe it
could turn out one of the biggest data breaches in history.
"We owe it to our customers to alert them that we now have
enough evidence to confirm that a breach has indeed
occurred," Chairman and Chief Executive Officer Frank Blake
said in a statement. "It is important to emphasize that no
customers will be responsible for fraudulent charges to their
accounts."
The confirmation came a week after a security blogger Brian Krebs
warned that Home Depot stores could be the source of stolen
credit and debit card data which went on sale on the black
cyber-market - rescator[dot]cc.
Home Depot says no PINs stolen in breach, but some banks report spike in ATM fraud on cards recently used at HD http://t.co/MAdybEBFRa
— briankrebs (@briankrebs) September 9, 2014
That’s the latest in a row of massive data breaches at large retailers in the US in less than a year.
The worst-hit so far has been Target Corp, which revealed in
January that hackers stole sensitive data from some 110 million of their
customers as part of a pre-Christmas data breach, which also
affected Neiman Marcus and Michaels Companies Inc.
Investigators revealed the malware used for hacking Target was
one named ‘BlackPOS’ and also known as
‘Kaptoxa’ (‘kartoshka’, or ‘potato’ in
Russian). More Russian words were found in the code of the virus.
In August, a Wisconsin-based security firm said that a gang of
Russian cybercriminals was responsible for large-scale stealing
of internet credentials.
READ MORE: Russian cybergang accused of
accumulating most stolen web credentials ever
The code used for stealing the Home Depot customers’ credentials
was reportedly a modified version of the one used for the Target
data breach. It could not yet be determined though if the attack
on Home Depot was carried out by the same gang that stole data
from Target.
The code also contained Russian words and included links to a
Wikipedia article on a list of wars involving the US and the
website for a book titled, ‘America's Deadliest Export:
Democracy’, according to the Wall Street Journal, citing an
anonymous source close to investigation.
The way the stolen credentials were sold on the black market was
one to also suggest a ‘Russian hand’ in the matter.
“In what can only be interpreted as intended retribution for
US and European sanctions against Russia for its aggressive
actions in Ukraine, this crime shop has named its newest batch of
cards ‘American Sanctions’,” Krebbs writes in his security
blog. “Stolen cards issued by European banks that were used
in compromised US store locations are being sold under a new
batch of cards labeled ‘European Sanctions’.”
Whoever behind the Home Depot breach, it once again showed the US
was lagging behind Europe in use of microchips in credit and
debit cards, which make transactions more secure. Retailers,
banks and card companies have lately been active trying to adopt
the technology.
Home Depot has been among them, promising to introduce PIN- and
chip-enabled cards at all its US stores by the end of the year.
Now it promises free identity-protection services, including
credit monitoring, to any customers potentially impacted in the
cyber-attack.