Fears grow of Home Depot data breach, exposing customers’ payment details

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

DIY retail chain Home Depot might be the latest big company to be hit by a serious data breach, after suspicions started to circulate that hackers had broken into its systems and manage to steal credit and debit card data.

For understandable reasons, Home Depot is working hard to reassure consumers about the situation – but at the time of writing it’s important to stress there has been no official confirmation that a breach has actually occurred.

Home Depot warning

In a statement on its website, however, Home Depot makes a point of telling customers that if fraudsters abuse stolen payment details it will be the banks or Home Depot who end up paying the bill:

Sign up to our free newsletter.
Security news, advice, and tips.

Message to our customers about news reports of a possible payment data breach.​

We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately.

For now, you should know the following:

First, you will not be responsible for any possible fraudulent charges. The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach.

Make sure you are closely monitoring your accounts and reach out to your card issuer should you notice any unusual activity.

If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers.

According to security blogger Brian Krebs, stolen payment details could now amongst a new collection being sold online in criminal underground forums by the same Russian and Ukrainian hackers who are thought to have previously hit other US high street retailers, including Target and PF Chang’s.

Dump for sale

The mention of “American Sanctions” and “European Sanctions” is curious, and suggests that the credit card data of American consumers has been put on sale to other criminals as retaliation to restrictions against Russia in the wake of the Ukrainian conflict.

Krebs writes that the possible data breach at Home Depot “may extend back to late April or early May 2014”, and could leave a much larger number of people impacted than last year’s catastrophic hack at Target.

Of course, there have been stories throughout 2014 of hackers breaching security at retailers, forcing them into embarrassing public disclosures that can cause consumers to lose confidence about shopping at the brands affected. One example is US supermarket chain Supervalu, where it is thought point-of-sale (PoS) terminals were targeted by malware which scraped credit card information from memory as it was temporarily stored unencrypted.

Just last week, the Payment Card Industry Security Standards Council issued a warning to retailers, telling them to immediately review their security to ensure point-of-sale systems are protected against the notorious Backoff malware. The advice followed a similar warning from the Department of Homeland Security and Secret Service who say they have investigated “numerous incidents” in the last year involving the Backoff family of malware.

It’s interesting to see that it is primarily retailers based in the United States who have been impacted by such attacks, and one has to consider whether America’s slow adoption of chip-and-pin technology has made the problem much worse.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.