After much speculation and investigation, Home Depot announced on Thursday that the breach lasting from April to September 2014 compromised a total of 56 million credit cards – making it the biggest breach in history.
The home improvement retailer also announced it has confirmed the malware infecting its point-of-sale systems has now been eliminated from its U.S. and Canadian networks. Contrary to earlier reports, Home Depot stated its investigations concluded the malware was not the same malware that impacted Target’s systems last year.
“Criminals used unique, custom-built malware to evade detection,” said Home Depot in a press release. “The malware had not been seen previously in other attacks, according to Home Depot’s security partners.”
Tripwire security researcher Ken Westin said, although Home Depot claims the malware is unique, it could originate from a build of malware used in previous attacks. “The criminal syndicates involved in these attacks do their homework,” said Westin. “They learn a lot about the target network and can modify their payloads accordingly.”
“BlackPOS malware, for example, is essentially open source, since its source code was leaked in 2012. Attackers are modifying the code specifically to avoid detection, adding the ability for the software to masquerade as antivirus processes and increase the performance of the credit card scanning processes amongst other improvements.”
The company began its investigation on September 2, when security journalist Brian Krebs reported multiple financial institutions found evidence that a massive new collection of cards had appeared for sale in the underground credit card black market.
Home Depot’s press release stated the company has completed a major payment security project, providing enhanced encryption of payment data for systems in all U.S. stores:
“The new payment security protection locks down data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.”
The project has been implemented across all U.S. stores as of September 13, 2014, with plans to be completed in Canadian locations by early 2015. EMV “Chip and Pin” technology currently exists in Canadian stores and Home Depot also projects a deployment to U.S. stores by the end of the year.
In a notice to Home Depot customers affected by the breach, Home Depot stated it is offering 12 months of free identity protection services, including credit monitoring.
Currently, the world’s largest home improvement retailer estimates breach costs to tally $62 million, although insurance will help offset expenses by $27 million.
Target’s breach, affecting 40 million credit and debit cards over the course of six weeks, cost the retail giant approximately $148 million, suggesting Home Depot’s expenses are likely to amount to much higher than that.
Nonetheless, Westin stresses that the incident should be looked at as the current state of security. “Collectively, we are looking at well over 100 million credit cards being compromised—this isn’t about individual stores,” said Westin.
“In many regards, the U.S. financial system has been compromised, with a significant impact to our economy and consumer trust that will continue to have ripples over the next few years as retailers are still scrambling to deal with the vulnerabilities these attacks have exposed in payment systems and processes.”
In the meantime, however, cybercriminals are surely prospering, using the credit card information of more than 50 million customers. This video demonstrates how cybercriminals benefit from the stolen goods, even when the cardholders themselves are not responsible for the fraudulent charges: