Slashdot Mirror
Home Depot Says Breach Affected 56 Million Cards
wiredmikey writes: Home Depot said on Thursday that a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014. While previous reports speculated that Home Depot had been hit by a variant of the BlackPOS malware that was used against Target Corp., the malware used in the attack against Home Depot had not been seen previously in other attacks. "Criminals used unique, custom-built malware to evade detection," the company said in a statement. The home improvement retail giant also that it has completed a "major payment security project" that provides enhanced encryption of payment card data at point of sale in its U.S. stores. According to a recent report from Trend Micro (PDF), six new pieces of point-of-sale malware have been identified so far in 2014.
So what would have happened to someone who didn't use their card, but an iPhone 6 with Apple Pay? I take it they would be completely unaffected?
I'm currently on the phone with my bank dealing with this.
Thanks Home Depot!
After you're done cleaning up this mess, could you clean up the bolt isle so I can actually find what I'm looking for should I ever decide to return to your store?
At this point, mag-stripe cards are almost as old-coot-technology as paper money. We can't have nice things (chip & pin) because American industry is too cheap to upgrade infrastructure.
What did they do?
How did you recognize it?
Was it a $10,000 charge with no details or did it show up as a $1,457.24 Home Depot purchase? Or what?
Uh, we're getting chips over the next 12 months, next September is when the liability shifts to the merchant if you have a chip card and they accept it as a swipe so every issuer is going to be sure to have cards out there by then and every large merchant is going to have the ability to use them. The one thing is in the US we're mostly going to be chip and signature, not chip and pin.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
From their website. This is the official Home Depot statement.
Really, this symbolizes the lackadaisical attitude people have when it comes to security - that a breach is not going to happen to them. You'd think after Target major companies like Home Depot would have audited their own security processes.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
The thing is for years they've always said it was the mom and pops that didn't want to upgrade. But the gear is fairly inexpensive to begin with. It's just in most places that still use the old swipe method it's the BANK that owns the gear and leases it to the merchant.
So of course the banks will charge extortionate rates for said card swipe terminals.
But nothing really prevents the really big merchants from telling the bank to stuff their machine. So I'd expect that might see the first use of chip and PIN. It's just for some time cards will have both the magnetic stripe and the chip because all merchants will take their sweet time converting.
But MasterCard and VISA are going one better - they're pushing liability onto the merchants now. So it may happen sooner than later that the upgrades take place.
I was just informed my DEBIT card is on the list, and it's going to cost me $25 to have it replaced.
The least those assholes at THD could do would be to pay for that.
All the Home Depot stores here in Vancouver, Canada have chip-and-PIN card readers.
Damn straight. Harvest their organs for the long organ donor list and they'll have contributed to society for once in their now terminated life.
All the old coots who are still using paper money are laughing at the cashless whipper snappers who shopped at the home depot. Until EMV is accepted everywhere, use cash if you can. Do not use a debit card! Credit card data breaches of major retailers are now widespread.
Whenever this story pops up, it's always "US and Canadian stores affected..." followed by a bunch of frustrated comments about how the US isn't using chip and pin yet. Well Canada *is* using chip and pin, and I can never find any details about weather or not Canadian customers should actually be worried (unless they had to fallback to the old magstripe stuff, of course), because if chip and pin was breached too then it's not going to do the US a lot of good to upgrade to it. Anyone know the details?
Sure, if we straight up execute people for stealing credit cards then credit card theft would probably go away.
But then the same can be said about every crime, and personally even as a generally law abiding person, I don't think I want to live in a world where any crime means death by catapult or exile to the acid mines.
When I watched Justin Ross Harris' Preliminary Hearing, I was stunned by how little work Home Depot's developers seem to do.
Harris worked for Home Depot's ".com business" per a quote from the Home Depot Corporate Communications Manager in this CNN article. The Preliminary Hearing did an amazing job of describing his typical workday: After watching cartoons with his child, then taking him out for breakfast, Harris eventually arrived at his office at about 10 AM. About 90 minutes later, he went out for a long lunch, with a carload of coworkers. After eating, the group stopped at a store to puchase some items. After lunch, Harris is at his desk for a few hours, but then he was out the door at 4 PM, off to watch a movie with some of his coworkers.
The hearing documented that he put in, at most, about five hours of work. During those five hours, he was IMing women on dating sites and also IMing a couple coworkers about a small startup/consulting business they had.
Obviously varies a lot by location, but I've found the Home Depot here to be one of the best as far as having people in departments that know their stuff. Spend a few minutes looking perplexed while staring at an isle and someone will ask if they can help. Last time I was there the guy in the plumbing department was ridiculously helpful.
And we have Chip & Pin here (Canada).
56 million people shop there? What the hell is wrong with people? Do they only have Home Depot in their community? Their lack of any customer service of any kind, confusing aisles, and inability to carry anything anyone needs makes me wonder why anyone would still shop there.
That's what you get for doing business with a bank. Smart people use credit unions.
I don't respond to AC's.
It is a credit union. It's the fact that it's a debit card that they are charging me.
Wow, I'm surprised at that. I'm a member of three different credit unions, and none of them charge for stuff like that (if for much at all). Very strange!
I don't respond to AC's.
every home depot in my city is basically 1 staff at each entrance and exit
30 check out lanes all closed, 4 self check out lanes guarded by one person who's too busy texting to do anything useful
i'm glad home depot went to shit in my city before the data breach i used to shop their but since they turned into big self service wear houses i haven't been back.
This cat and mouse game will go on indefinitely.
Wansu, th' chinese sailor
It sounds like this sort of thing takes a scale of resources to accomplish that wouldn't be used idly.
So why are we hearing about a lot of cracks lately that get huge amounts of payment information, but apparently don't lead to massive numbers and dollars of thefts from accounts?
Is someone testing experimental weapons for a future cyber war that would aim to create enough financial chaos to crash our economy?
Or conversely, is there a secret government project to deliberately crack corporate financial systems, to scare them into getting more secure?
So, all these folks who are saying "low-life criminals are the problem, and we need to stop them by whatever means necessary" shouldn't be calling for harsher penalties, but more pervasive surveillance (because the important factor is how likely you are to be caught, not how severe the punishment is).
Yeah, I'm sure they'll get right on that.
The funny thing is that the other day I took one of the cats into the vet for an exam, and when I went to pay I found that they had a chip card reader, and it worked the way it was supposed to. My the first chip-card transaction in the U.S., and it was at a small mom-and-pop.
I should note that for many months, Home Depot has had chip card readers at their POS terminals, but they are not yet active.
"The retailer left its computers vulnerable by switching off Symantecâ(TM)s Network Threat Protection (NTP) firewall in favor of one packaged with Windows. âoeIt is highly advised and recommended the NTP Firewall component be deployed and that Windows Firewall be discontinued,â the report states."
See, wasn't that easy?
A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
And the reason is obvious, people don't care.
How much money is Home Depot really gonna lose in this case? Maybe some liability? Probably cheaper to accept the risk than spend money on preventative measures which still might not be enough.
But surely people will be angry and vow to never shop there again? Nope. While it's in the news, sure, but people forget quickly. Remember how big the Sony/PSN thing was. I know people who swore they'd never do business with Sony ever again who currently own a PS4. As a whole, the thing has largely blown over and been forgotten about, as I'm sure this too will be.
Until there are real penalties to these kinda breaches, we'll keep seeing them.
RFID cards have proven to be easy to compromise.
I've not seen an RFID card. Do you have a link? Or did you mean EMV?
Tell them you would just like to go ahead and cancel your account. If they don't waive the fee, you should. There are many banks and alternatives. BTW, stop using a debit card for anything other than an ATM. If your debit card is compromised, they get your money. If your credit card is compromised, they get the credit card companies money. Which do you think is easier to deal with?
I'm fine with the chip; that protects me, the bank, and the retailer. I am NOT fine with the PIN. My signature can't be stolen; if someone steals my card, the signature on the sales slip proves it's not me. But if someone steals your PIN they have your every penny.
It happened to me with a debit card. I welcome the chip, but of they add a PIN I'll cancel all my cards and go back to cash and checks, even though they're nowhere as convenient.
Free Martian Whores!
Harvest their organs for the long organ donor list and they'll have contributed to society for once in their now terminated life.
Certain intelligent people have already explored where that idea ends up.
Executive summary: you better never get caught jaywalking, because there are dozens of people who think they have a claim on your vital organs thay you do.
Welcome to the Panopticon. Used to be a prison, now it's your home.
You are so right, the worst case scenario is inevitable. You also have changed my life: I too will now quote fiction as if it were reality. Excuse me while I go find the local Scientology branch so I can follow your lead.
And it's one reason why I never ever use my debit card like it was a credit card. Debit cards just don't have the protections that credit cards do.