Wondering if your data was lost? It's impossible to say as Home Depot won't even give customers the facts

What do the three biggest credit card thefts of all time have in common?  Well, they all preyed on the giants of American retail and their customers.  And they all used malware that targeted Microsoft Corp.'s (MSFT) weakly secured Windows XPe operating system.  Two of those hacks occurred within the last year, with one announced just in the last month.

I. The Biggest Credit Card Theft in History

That hack -- the breach of America's top home improvement retail chain The Home Depot Inc. (HD) -- was finally quantified somewhat in a company press release [PDF] two weeks after it was first disclosed.  The grand total -- which everyone has been wondering -- is 55 million credit cards stolen (likely by Russian hackers).

That puts the hack ahead of Target Corp.'s (TGT) loss of an estimated 40 million credit and debit cards during roughly a month-long period during November and December of last year's holiday season.  It also puts it well ahead of the 45.6 million cards stolen from The TJX Companies, Inc.'s (TJX) TJ Maxx stores by Hacker Albert Gonzalez (handle: "SoupNazi") and his cohorts in a hack that was disclosed in 2007.

Home Depot did not mention what records were stolen along with its data loss.  But security researcher Brian Krebs, who first disclosed the breach to the public, writes:

Here’s the critical part: The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).

The hack of TJ Maxx was in some regards bigger, as the Associated Press points out, as it encompassed 90 million records, roughly half of which were non-credit card data relating to store rewards programs.  So technically speaking the Home Depot hack is the biggest known retail credit/debit card loss in history (ahead of TJ Maxx), and the second biggest customer record loss in history (behind only TJ Maxx).

The theft of customer records and credit card information is particularly damaging as it makes it far easier for those who buy the attackers' illegally obtained data trove to commit financial crimes against the customers whose data was lost.

II. How Did the Hackers Get in?  Home Depot Won't Say

Home Depot's press release didn't bother going into much detail of how it managed to find its way into the record books.  Rather it spent half the press release chatting about financials.  What it did say was the following:

To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements.  The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.

[The new payment encryption] locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.

Home Depot’s new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms.  The encryption project was launched in January 2014. The rollout was completed in all U.S. stores on Saturday, September 13, 2014. The rollout to Canadian stores will be completed by early 2015.

It did not mention any specifics about how long the malware was in its systems, what kinds of point of sale (POS) hardware were compromised, or how hackers gained access to its networks.

There's some rumor that hackers in the Home Depot leak may have had some sort of insider connection that allowed them to gain access to Windows XPe terminals at thousands of Home Depot stores across the country.  But such commentary appears at best specious speculation at present, as the man who's provided us with the most details on the hack -- Brian Krebs -- has made no such suggestion.

In fact, it's perfectly possible that hackers entered through a third party partner compromised with traditional remote penetration techniques.  The Target hack, for instance, is believed to have been orchestrated entirely from outside the country, with hackers gaining access to local Target store networks via a heating ventilation and air conditioning (HVAC) firm.  

At the time experts commented that such access is often given in the retail world to HVAC firms and other trusted third parties.  Experts also commented that it is not uncommon for POS terminals to be on the same network as climate control and other externally accessible systems.  Thus it is entirely possible that the Home Depot hackers breached the retailers' networks through a similar route, without ever setting foot in the U.S.

What makes that even more likely is that the same ring of Russian and eastern Ukranian hackers who were behind the Target hack are believed to have carried out the Home Depot heist, as well.  They even reportedly used the same malware in the Home Depot breach, albeit a newer version.

III. Wondering if Your Card Was Lost? Home Depot Won't Let You Find Out Yet

Brian Krebs revealed in a recent post that his sources who are close to the investigation indicated that the hackers primarily stole credit card data from self-checkout POS machines.  He elaborates:

The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding means thieves probably stole far fewer cards during the almost five-month breach than they might have otherwise.

Assuming he's right and the hack lasted five months and targeted the automated checkout kiosks, it's still unclear when exactly the hack happened.  Home Depot's commentary hints that it may have happened around the same time as the Target hack (given that the new security system deployment began in January of this year).

Target deserves some small degree of credit.  As bad as the hack was and as clumsy some of its subsequent moves were (such as giving its resigning CEO an impressive golden parachute to sail away on), it at least acknowledged the hack somewhat sooner and gave customers more details about the timeline of the breach... and it even offered some compensatory promotions to win back customers.

By contrast, Home Depot appears to be very late in reporting its data breach, a breach which was even more severe.  And even with it finally reporting the data loss, it failed to provide even the most basic timeline of when the data was seized.  That's a grave disservice to customers, given that they're still left guessing whether their transactions might have been at risk.

You could say Home Depot is adding insult to injury, given that the hack was likely due to the retailer's financially motivated decision to cling to Windows XPe, an operating system which has already seen two successors, Windows 7e and Windows 8e.  You could say some of the blame rests on Microsoft, as the OS is still technically supported. However, Microsoft has been relatively vocal with enterprise partners making it clear to them that it would be virtualy impossible to patch Windows XPe to deliver sufficient memory protections to make it as secure as Windows 7e and 8e.  Its advice has been simple -- upgrade, or live with the risk.

Retailers chose the latter option.  And now their profit-driven decision has come back to haunt them and their customers.  And in this case Home Depot hasn't even bothered to provide potentially victimized customers with a clear timeline.  And it hasn't offered any free apology discounts like Target did -- not yet, at least.  It appears that when it comes to mega hacks there's "Target bad", but just when you think you've seen the worst, then along comes "Home Depot bad".

Sources: The Home Depot [PDF], AP, Krebs on Security [1], [2]

"Folks that want porn can buy an Android phone." -- Steve Jobs

Latest Headlines

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki