Home Depot’s data breach officially stole data from more than 56 million payment cards during a five-month assault. Based on the latest data released from both Home Depot and Target, that number has the Home Depot breach impacting 40 percent more cards than the 40 million from the Target breach.
“The attack already had appeared large enough to prompt big card-issuing banks including J.P. Morgan Chase to start replacing customers’ debit and credit cards that were exposed in the attack,” reported The Wall Street Journal. “Capital One Financial Corp. said late Wednesday night that it, too was planning to reissue payment cards.”
Home Depot said that the attackers used “custom-built malware to evade detection. The malware had not been seen previously in other attacks. The malware is believed to have been present between April and September 2014.”
The chain also confirmed that it has accelerated plans to boost its security. “The company’s new payment security protection locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers. Home Depot’s new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms,” said a Home Depot statement. “The encryption project was launched in January 2014. The rollout was completed in all U.S. stores on Saturday, September 13, 2014. The rollout to Canadian stores will be completed by early 2015. EMV Chip and PIN technology, which began rolling out in early 2013 and already exists in Canadian stores, will be deployed to all U.S. stores by the end of the year, well ahead of a 2015 deadline established by the payments industry.”
Interestingly, Krebs On Security reported the new Home Depot breach figures actually would have been much larger, but the numbers were limited because the thieves chose to only attack self-checkout units.
“Many banks have been bracing for a financial hit that is much bigger than the exposure caused by the breach at Target, which lasted only three weeks and exposed 40 million cards,” the Krebs report said. “But so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure.” Krebs also reported that MasterCard is telling financial institutions that it “found evidence of compromise at approximately 1,700 of the nearly 2,200 U.S. stores, with another 112 stores in Canada potentially affected.”