In what could turn out to be another huge data breach, Home Depot on Tuesday confirmed that it is investigating a potential compromise of credit card and debit card data belonging to an unspecified number of customers.
Security blogger Brian Krebs , who first reported the breach, today estimated that it could end up being potentially even larger than the one at Target, which compromised data on more than 40 million payment cards.
Several banks have reported that the intrusion at Home Depot occurred in late April or early May and remained undetected until recently, Krebs noted. Indications are that all 2,200 Home Depot stores in the U.S. may be affected.
"If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target," Krebs wrote.
Paula Drake, a Home Depot spokeswoman, said the company is investigating reports of a potential breach of its networks but provided little details on what might have happened.
"At this point, I can confirm that we're looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," Drake said in an emailed statement. "Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately."
Without further information, it would be inappropriate for the company to speculate on what might have happened, Drake added. "We will provide further information as soon as possible."
The Home Depot incident is the latest in a string of data thefts disclosed by U.S. businesses in recent days.
The breach disclosures come amid escalating concerns within the U.S. payment industry of hackers using malware code dubbed Backoff to steal data from point-of-sale (PoS) system networks. The hackers behind the breaches at Target, P.F Changs and Neiman Marcus are believed to have used Backoff to steal data from each company's PoS systems.
The U.S. Department of Homeland Security and the U.S. Secret Service have issued two alerts warning retailers about Backoff and noting that the malware has infected at least 1,000 U.S. businesses. In most cases, hackers were able to deposit the malware on PoS networks after first gaining access to them via remote access applications, the two agencies warned.
The Payment Card Industry Security Standards Council, which oversees the PCI security standard, issued an urgent bulletin in late August urging retailers to review security controls and take additional protective measures, such as end-to-end encryption, to protect against the malware.
Last Friday, security firm Kaspersky Labs warned that Backoff might have infected a lot more systems than generally perceived.
"It is clear that criminals who are targeting the retail industry have tactics, techniques and procedures that most retailers aren't well prepared to stop," said Rob Sadowski, director of technology solutions at RSA, the security division of EMC. "Cyber criminals targeting payment card data are going after the biggest, most lucrative targets because they feel that they can succeed. And this latest breach, if the reports are true, is proving them right once again."
The latest breach appears to have followed the same pattern as previous breaches at Target, Nieman Marcus and P.F. Changs, said Michael Sutton, vice president of security research at security vendor ZScaler.
"These breaches could have largely been avoided had U.S. retailers adopted the 'chip and PIN' technology mandated in debit and credit cards in most industrialized countries," Sutton said. "The technology has not been widely adopted in the U.S. primarily due to lobbying by retailers who were concerned about the cost of implementing the technology."
The fact that many of these breaches are discovered by third parties and not the retailers themselves is especially troubling, Sutton said.
"It is concerning that gigabytes of credit card data can be syphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to," Sutton said.