After weeks of knowing about the issue, a report came out last week alerting the public that Home Depot’s computers have been hacked for about five months now, revealing the credit and debit card information of millions of customers. The hackers are still unknown, but are believed to be among two groups. The hackers managed to steal debit and credit card information from millions of customers who made in-store transactions in the United States and Canada by installing malware on the registers that looked like the popular antivirus software McAfee. As customers swiped their cards, the malware would capture the the card numbers and send the information to the hackers.
The amount of credit and debit card information is still unsure, but experts expect the amount to be significantly larger than Target’s case, where hackers stole 40 million debit and credit cards in only three weeks. Home Depot is still investigating this breach, but insists there is not evidence that debit card PINs were exposed. However, banks and law enforcement are noticing an increase in fraudulent withdrawals from the stolen debit cards. Home Depot’s spokeswoman would not comment on the amount of cards that may have been hacked, or the report of bank account withdrawals. Along with these withdrawals, the large amount of card information is being sold in “cybercrime shops online.”
In efforts to relieve some of the issues caused by this hack, Home Depot is now offering free identity protection and credit monitoring to anyone who has shopped their since April. In addition, they are also installing more secure terminals.
More information on this attack can be found on CNN’s website and Business Week’s website. This page will also be updated as soon as additional information is available. For tips on keeping your card information safe, follow this link to Time magazine’s business article on card security.
Update: On September 18th, BusinessWeek reported that Home Depot failed to take precautions against the attack. Despite the previous smaller attacks that happened in the past, the company decided to disregard advice from security contractors, which suggested they activate an unused part of their antivirus software that would have added an additional layer of protection to the terminals. It is unclear why the intrusion detection feature (Symantec’s Endpoint Protection) wasn’t activated on the systems, but Home Depot decided to keep the security on the network level rather than on the terminals. In addition to this, the company did not have the information stored on the terminals encrypted, which would have made the information difficult, if not impossible, to read. These shortcomings resulted in 56 million cards at risk, and is estimated to cost Home Depot $62 million this to recover from the breach. Since the hack, Home Depot has removed the malicious software from the terminals and implemented enhanced encryption on the terminals. The company plans on updating their antivirus to a newer version and activating the additional feature on the software in the near future.