Print 23 comment(s) - last by SPOOOK.. on Sep 7 at 8:55 PM

Reportedly theft may eclipse Target hack, with over 40 million cards believed to be stolen by Russian Hackers

Americans may soon be hearing some shocking news as retail giant Home Depot Inc. (HD) has reportedly been linked to a "massive" loss of customer data to hackers operating out of Russia and Eastern Europe.  According to intial reports the breach may involve the theft of over 40 million credit cards, stolen using point-of-sale (PoS) malware deployed across most of the retailer's 2,200 U.S. stores.  Reportedly, the attack may eclipse the shocking data breach that occurred at Target Corp. (TGT) over the 2013 holiday season.

Security researcher Brian Krebs caught wind of the hack when a massive batch of millions of stolen credit cards was offered up for sale on cybercrime hub rescator[dot]cc.  The cards were posted under the headings "U.S. Sanctions" and "European Sanctions", titles that suggest that these cybercriminals are looking to legitimize their efforts as a retaliation against the U.S. and European governments for their sanctions against Russia over its involvement in eastern Ukraine.  

The "U.S. Sanctions" heading contains data on cards issued by American banks, while the "European Sanctions" heading has European bank-issued credit card data.  

The stolen cards allegedly come from a hack of Home Depot, the largest home improvement supplies store in the U.S.  Home Depot spokeswoman Paula Drake comments:

I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate.

Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has a occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.

Given the political rammifications, Home Depot may receive extra help from the governments of states with affected banks.  Likewise banks are reportedly circling their wagons to try to limit the damage of the huge data loss.

The timeframe -- both beginning and (possibly) end -- of the Home Depot hack are unclear.  Brian Krebs writes:

Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.


Sources: Krebs on Security, Bloomberg

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Check your debit or CC
By ProfFarnsworth on 9/2/2014 10:34:42 PM , Rating: 5
Hey all, I do work with a bank and I am gonna let you know this is correct.

Look on your statements if you have shopped in the past with them. Hell, check them if ou haven't.

Look for the following charges:
All of these are about $49.95 and there is one where its a bunch of numbers dot com. All of these sites are fake and are being reported as fraud.

Most of these charges are coming out of either Korea or Florida. Don't believe me? Look up these charges above and you will see what I mean.

RE: Check your debit or CC
By sorry dog on 9/2/2014 10:53:38 PM , Rating: 2
The company that still uses windows XP on POS registers got hacked. Who woulda thunk it??

RE: Check your debit or CC
By pixelslave on 9/3/2014 8:30:03 PM , Rating: 3
I don't think the problem is about using XP system as POS, but how could they let a POS be used for something else other than getting paid by the customer. The truth is, even if they use XP, if all their POS are nothing more than a POS, and allows absolutely no one to use them for any other purposes, the chances that they get hacked would drastically lower.

RE: Check your debit or CC
By deltaend on 9/4/2014 12:15:17 AM , Rating: 2
by pixelslave on September 3, 2014 at 8:30 PM

I don't think the problem is about using XP system as POS, but how could they let a POS be used for something else other than getting paid by the customer. The truth is, even if they use XP, if all their POS are nothing more than a POS, and allows absolutely no one to use them for any other purposes, the chances that they get hacked would drastically lower.

Not correct. POS systems will be connected to the internal network in order to run their software off of a central or remote server (inventory database, rewards cards, credit card processing, transaction record management, etc...). If the network isn't correctly segmented through VLANs and other firewall technologies, then computers that run in the offices will be directly connected to the same network as the POS systems. In fact, in Target's case, it was the HVAC system that was directly connected to the same VLAN system as the POS terminals.

Once inside of the network via another computer, it's a simple matter to run a vulnerability scan on the entire VLAN and determine if any machines are exploitable remotely. Due to stagnant patching of XP, it would only take a single vulnerability to get into everything. For that matter, they don't actually need to get into the POS terminals themselves as much as they simply need to either listen via Man in the Middle attacks to the traffic passing between POS terminal and server, or hack into the site server/firewall itself and gain access that route. Most POS (large scale designed, not small business grade) software does NOT encrypt data between the POS station and the server simply due to the complexity of implementing this on a machine by machine basis. Instead, the network is usually segmented from normal traffic and/or VPN's are employed which have built in encryption. Once the data reaches the server, connections to process payment gateway based transactions are encrypted from the server out to the public internet. Much of this is changing in the POS world, however, it takes time to swap out or upgrade all POS devices in all Home Depot stores in the USA.

There are a plethora of options for getting the same hack accomplished, but having XP running on critical devices that could be exposed to an outside influence does help hackers do what they want.

RE: Check your debit or CC
By deltaend on 9/4/2014 12:17:19 AM , Rating: 2
Also, who said that this wasn't an inside job? Most of the time when you see companies like this hacked, the initial door is opened by an employee with some initial level of access.

RE: Check your debit or CC
By FITCamaro on 9/2/2014 11:10:40 PM , Rating: 2
Luckily I don't even think the card I used the last time I shopped at Home Depot is even valid anymore. It's been years.

RE: Check your debit or CC
By wallijonn on 9/5/2014 2:28:51 PM , Rating: 2
If you have used an ATM card to pay your HD bill then you probably should get a new Debit card since they are not covered under the bank's fraud protection.

By MoneyisaScam on 9/2/2014 6:49:56 PM , Rating: 5
Seriously, what are we waiting for? That CEO needs a bonus

By ritualm on 9/2/2014 11:38:32 PM , Rating: 3
Throw in a multi-million golden parachute and we're all set.

By inperfectdarkness on 9/3/2014 1:36:31 AM , Rating: 5
Can the Home Depot afford it? I mean, they ended up shelling out HALF A BILLION to Nardelli, just prior to him ruining what little was left of Chrysler.

By sorry dog on 9/3/2014 1:33:58 PM , Rating: 2
Sad thing is that will probably happen. It's all to common for these department head positions to be given to those with questionable competence for reasons of favoritism rather than skill or leadership skills. In this case I've heard it first hand from a former CIO of Home Depot that at that place, the quality of your work played a small part in your success in the company. No doubt he had a least a little case of sour grapes, but it seems rather obvious that if your still using XP company wide for store POS registers, then you got some serious IT risk issues. I don't doubt some plaintiff firms are smelling a good class action case here. I suspect when the details come out... they will make the Target folks look like security gurus in comparison.

By quiksilvr on 9/2/2014 5:47:19 PM , Rating: 2
My guess is businesses want to wait until after the holiday season but this is going to become a serious problem if we don't make the switch soon.

By Schadenfroh on 9/2/2014 6:13:35 PM , Rating: 2
We need more than a simple "smart chip", we need one-time passwords generated by pressing a button on the card for each transaction (online and in-person) + a short PIN known to the user to help guarantee the person using the card physically possesses it.

By kmmatney on 9/3/2014 12:21:08 AM , Rating: 3
I think our smartphones are going to get this before our credit cards do.

By snyper256 on 9/2/2014 10:06:03 PM , Rating: 2
NATO is trying to make it legal to treat cyber attacks the same as they respond to physical real world attacks.

By inperfectdarkness on 9/3/2014 1:35:20 AM , Rating: 4
Why not? If the damage has the same net effect, it seems like that's the most logical recourse. If a cyber-attack knocks out something vital in ATC and a jetliner crashes, isn't that really the same as Russia shooting one down?

I think the Tallinn manual is a great step forward, but it doesn't go far enough. There needs to be a full-up Geneva conventions addendum dealing with cyber-warfare. Without it, everything is essentially "fair game" in the cyber realm. That's a very, very dangerous place to be--if we're trying to avoid escalation.

For the record, I think Russia and China embody that which the USA and Israel are accused of (most often by radical islamists)--namely imperialism. Imperialism seeks to add more territory to one's own nation/state/country. Russia already claims the Crimea, and China virtually claims everything in the South China Sea. Meanwhile, the USA doesn't want to own/occupy Iraq or Afghanistan (no matter what lies have been spread)--they only want to see those regions stabilized so they don't allow the exportation of violence to the western world.

By snyper256 on 9/3/14, Rating: -1
By lagomorpha on 9/7/2014 12:28:40 PM , Rating: 2
NATO is trying to make it legal to treat cyber attacks the same as they respond to physical real world attacks.

Eh, doing away with Microsoft impersonating Indian scam telemarketers and spammers are actually a couple applications of predator drone strikes I approve of.

Pure incompetence
By GatoRat on 9/3/2014 1:36:04 PM , Rating: 3
Protecting our customers’ information is something we take extremely seriously...

Apparently not.

Will this finally wake businesses up? The incompetence of most high level technical managers is blindingly obvious. It would behoove CEOs to educate themselves about IT.

RE: Pure incompetence
By fic2 on 9/3/2014 1:42:07 PM , Rating: 2
I am pretty sure most CIO/CTO types don't have any kind of technical degree. I would bet most of them in the Fortune 1000 have accounting degrees than CS/Engineering degrees.

By ndallari on 9/4/2014 12:56:44 PM , Rating: 2
Blocking the IP addresses from these countries.
I know they can spoof but this should reduce the amount of attacks.

By TheDoc9 on 9/4/2014 5:48:17 PM , Rating: 2
I just got a new card because of the Target theft!

banks refuse computer chips
By SPOOOK on 9/7/2014 8:55:35 PM , Rating: 2
this is because banks in the usa refuse to put computer chips on credit cards so let then get hacked every day the heck with them

"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference

Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki