Customer Data Breach at Home Depot May Be Biggest Yet
By Jennifer LeClaire / CIO Today. Updated September 04, 2014.
Home Depot is warning and reassuring customers about a potential data breach. The home improvement retailing giant is still investigating a possible hack but has made it clear customers will not have to foot the bill for any fraudulent charges that may emerge.
"Our forensics and security teams have been working around the clock," spokeswoman Paula Drake said in a published statement. "In the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges."
Home Depot has hired Symantec Corp. and Fishnet Security to investigate after discovering unusual activity on Thursday. The retailer is also working with law enforcement agencies but has not disclosed specifics.
"We know that this news may be concerning, and we apologize for the worry this can create," Home Depot said in a notice posted on its Web site. "If we confirm a breach has occurred, we will make sure our customers are notified immediately."
Don’t Use Cards Tied to Your Bank Account
We caught up with Tom Cross, director of security research at network security firm Lancope, to get his take on the possible breach. He told us these retail compromises can have a direct financial impact on consumers -- and that the Home Depot incident has the potential be bigger than the Target breach.
“Some banks issue credit cards that are directly tied to consumer checking accounts,” Cross says. “Fraudulent charges made on these cards are immediately deducted from the consumer's bank balance, and the consumer may have to wait for a fraud investigation to complete before they can recover their money.”
With so many large retail organizations getting compromised, he strongly recommends consumers avoid using cards that are tied directly to their checking accounts. However, he adds, people do not want to go through the hassle of having their cards replaced because they were compromised, even if they won't be held responsible for the charges.
“Therefore, these compromises do have a reputational impact on financial institutions -- some consumers will avoid doing business in stores if they fear that their card may be compromised,” Cross said. “Other retailers who have been impacted in this string of attacks have faced significant costs associated with cleanup and lost sales.”
Improvements Since Target Breach
We also turned to Daniel Ingevaldson, CTO of Web fraud detection firm Easy Solutions, for his thoughts on the possible breach. He told us it appears this new batch of cards are selling for $50 to $100 each, though he said those prices are likely to come down faster than in the past as the window of opportunity to profit from stolen cards has shrunk.
“This has happened because financial institutions have become smarter about dealing with these attacks,” Ingevaldson said. “For example, black market sites used to allow you to 'test' a stolen card, charging a small amount on it before committing to purchase, in order to prove it was a valid card. Since the Target breach, banks have improved their detection methods to look for these kinds of charges -- as an indication of likely potential new fraud -- so these sites no longer offer this service."
What’s more, he said, a growing number of banks are monitoring the black markets themselves, either on their own or through services like those offered by Easy Solutions, as an early warning system for stolen cards.
“We expect we'll continue to see these large scale retail breaches continue, as a result of wide open POS (point-of-sale) devices, combined with the incredible difficulty of discovering a large, sophisticated breach,” Ingevaldson said. “The hope here, though, is that banks and retailers are becoming faster to respond, and are improving their detection methods, thereby shortening the window of opportunity for these criminals, and reducing the exposure and hassle to consumers.”