Slashdot Mirror
Home Depot Says Hackers Grabbed 53 Million Email Addresses
wiredmikey writes Home Depot said on Thursday that hackers managed to access 53 million customer email addresses during the massive breach that was disclosed in September when the retail giant announced that 56 million customer payment cards were compromised in a cyber attack. The files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information, the company said. The company also said that the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
Glad that's over!
Derp
consistently reinforce their legacy retailing status.
TFA says that Home Depot expects to pay "$62 million this year to recover from the incident", referring to exposing the details on 56 million credit cards. That's only $1.11 per exposed card. I used a credit card there during the period, so my Credit Union sent me a new card, plus two other physical letters about the incident. That had to cost them more than $1.11 per affected customer.
I do remember the face of a nice cashier lady in a rural Home Depot — she asked me to "sign up for free" and I refused. It genuinely offended her, though she remained professionally nice... Maybe, now she understands.
And when you have to — or, despite the risks, want to — register with some company, always use an address like yourid+companyname-year@example.com. The nifty feature supported by most mail-servers will still deliver the message into your mbox, but you'll be able to block a particular address, when it gets stolen (or when the party you gave it to in the first place turns to spamming).
GMail supports the feature, Yahoo! Mail might too.
(Of course, owners of their own domains have the infinite supply of even nicer-looking addresses.)
In Soviet Washington the swamp drains you.
fight the power!
lolo lo l ololo
And they're a member of CurrentC who wants your bank account info, driver's license and SSN numbers. Who in their right mind would give the MCX or its members companies such info?
Should have hired me instead asshats!
Seems like one of the jobs of IT departments for the last 10 years should have been to have their own surveillance software to be watching for activities that indicate software changes, moving of data, and added code that should be detectable so they can verify what is happening to their systems in near real time.
Did your credit union send the letters, or did Home Depot?
Home Depot isn't paying for your card, and a letter isn't that expensive when you are buying office supplies in bulk.
For a corporation with $78 Billion in revenue, $62 million is like you paying the paperboy his Christmas bonus.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
What is the difference between a used car salesman and a company rep who says your data is safe with them?
The used car salesman knows when he's lying.
How's the C-rate security working out for you now? What a stupid fucking CISO. That was his literal statement in case you didn't catch the prior news articles. They basically didn't give a shit about security at all. Guess what, now no one gives a shit about hiring you else where, you irresponsible fuck.
Time to switch to CurrentC and hand over all my information to the people in the MCX. They're so responsible and knowledgable about information security and real world threats!
Because I had them install a fence. Not only did they install it in the wrong place, they wanted to charge more to tear it down and put it up in the right place. "F" em.
This will get you EVERYTIME.
Yes, Home Depot offshored significant amounts of their admin. THis allows India to work on the computers in the middle of the night. However, like target, and the others, it enables ppl that have NO VESTED INTEREST in the company, or the nation, to have access to production.
This will continue as long as companies continue to cheat.
I prefer the "u" in honour as it seems to be missing these days.
We've given the NSA all sorts of powers, they've taken a few extra; and the most they've done is supposedly saved america from "The BIOS Plot".
I run my own mail server, and for the past couple of months the spammers have been sending 50-100 emails a day to my adobe email address, where they go directly into a blacklist. I expect I'll be doing the same with my home depot address in another 6 months.
Because hackers did it, see? Not our fault we ran an open network, it was hackers! We couldn't count the hackers but it must have been many hackers! Hackers! Hackers! Hackers!
As long as we keep abusing wordt well beyond we've erased all meaning from them we can't even begin to admit we're waffling. And that's job security. So it wasn't us. It was hackers.
... that did this...
"the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada."
What Operating System did this self-checkout system run on?
Will lead to the return of small town hardware stores that don't need to get your email, CC#, SSN, DOB, first child's name, name of the street you grew up on, and would you also like a snickers and a home remodeling with that?
Would be nice that the downfall of these giant megacorps would be because they got too greedy. Why the f*** does Home Depot need your email? I don't want a relationship with you! Sell me my 2x4 and shut off.
I have personally had problems with Home Depot's quality I shop at the local hardware stores instead
[sarcasm]Man, I can't wait to sign up for Current C and give them direct access to my bank account and all my personal information![/sarcasm]
-TheDawgLives suckitdown
Additional details disclosed on Thursday, some of which have already been circulating, include:
Criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.
The stolen credentials alone did not provide direct access to the company’s point-of-sale devices.
The hackers acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
Home Depot previously said that it was first made aware of a potential breach of its payment processing systems on Sept. 2 after being notified by law enforcement.
I once worked for a PCI compliant business and I remember the very stringent requirements for almost everything IT. I am coming to the realization that the PCI compliance standards don't really do much. Well, they probably stop small time crime/hacking, but it appears the battle has been lost, or I should it is a war of attrition.
Since the Target thing last year, I have stopped using my debit card, and rarely use my credit card. I use cash for as much as I can. I don't do this for any sort of political statement, etc; I do this because it is safer(and I don't spend as much.)
I've been using the name Harry Mann and fake contact info for years. It started at SuperCuts, one place wouldn't cut my hair unless I gave them a cell phone number.
And so far, only one stylist has caught the joke. I go back to her regularly and over tip every time.
There's never going to be a way to stop data breaches, so stop feeding big data.
Dear Valued Customer,
The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.
In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.
Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.
Sincerely,
The Home Depot
I was struck by how the letter did not say anything about what HD has done to ensure that something like this will not happen again to them.
My personal email was under good control for blocking junk mail via my SpamAssassin filter and local junk box filters, up until around the time the breach was announced. Since then I have been receiving a dozen or so very well crafted spam emails, all text and all formatted in a similar fashion, containing a row or two of lines with a "reference number" "case number" or something along those lines.