Home Depot on Thursday said it had excised the malware demon from its computerized payment system after its recent discovery of a security breach in which thieves stole records of 56 million credit cards.
Home Depot stopped short of admitting that an ongoing security upgrade may have contributed to the breach. Efforts to harden the system with enhanced encryption and new technology will not be completed in some areas until early next year.
Cybercriminals used a custom-built malware attack to evade detection for at least five months — from April to September — the company said.
The malware had not been seen in other attacks, according to Home Depot’s security partners.
The hackers’ method of entry is now closed, the company emphasized. Any terminals identified with the malware were taken out of service, and security enhancements were put in place.
“Customers should carefully monitor their statements and take advantage of the free ID protection and credit monitoring we are offering,” Paula Drake, a Home Depot spokesperson, told the E-Commerce Times.
Still at Risk
Despite the measures taken, Home Depot and its customers could face future consequences from the breach. There is no evidence that debit card PINs were compromised, or that the breach impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.
“We don’t know if email addresses have been stolen, said Stu Sjouwerman, CEO of KnowBe4. “Probably not. So consumers are probably just dealing with the standard compromised credit card accounts.”
This malware attack was a very specific software vulnerability. Once it is plugged, you are OK, he told the E-Commerce Times.
“You are not going to find that particular problem coming back,” Sjouwerman said, but “that does not mean there will not be other problems Home Depot will run into.”
For instance, if hackers did obtain debit card PINs, they could wipe out customers’ banking accounts, he warned.
Watch and Wait
Home depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store from April 2014. Customers who wish to take advantage of this service can learn more at www.homedepot.com or by calling 1-800-HOMEDEPOT (800-466-3337). Customers in Canada can call 800-668-2266.
“We’ll continue to focus on the customer and take care of them through this process. We’ve had that commitment from day one, and it is our clear focus,” said Drake.
In addition to using the credit-monitoring services the company is offering affected customers, Home Depot shoppers should be very careful to check for bogus charges placed on their credit cards, suggested Sjouwerman.
They also should be aware of new credit card accounts being applied for in their name.
“Those are the two main things you find with identity theft,” he said.
Home Depot’s new payment security protection locks down payment data through enhanced encryption. It takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.
The new technology, which comes from Voltage Security, has been tested and validated by two independent IT security firms, Home Depot said. The encryption project was launched in January.
However, the rollout was not completed in all U.S. stores until last weekend. The rollout to Canadian stores won’t be completed until early 2015.
Home Depot did not encrypt all of the transaction data, said Sjouwerman. Encryption has to be applied within the machine and while being transmitted within the payment network. “The credit card information that got stolen was not encrypted at the moment it was in system memory.”