Home Depot: 53 Million E-mails StolenBreach Resulted from Third-Party Vendor Compromise
Home Depot on Nov. 6 offered an update to the findings of its data breach investigation, saying that, in addition to 56 million cards being compromised, approximately 53 million e-mail addresses were also taken.
See Also: Threat Intelligence - Hype or Hope?
The latest news follows weeks of investigation involving law enforcement and third-party IT security experts, Home Depot says.
The home-improvement retailer on Sept. 18 confirmed that an estimated 56 million payment cards were exposed in a data breach at its U.S. and Canadian stores (see: Home Depot: 56 Million Cards Breached).
In order to evade detection, the criminals involved in the cyber-attack against Home Depot used custom-built malware, which has not been used in other attacks. The malware, which was present on Home Depot's payment systems between April and September, has since been eliminated from its U.S. and Canadian networks, the retailer says.
Home Depot says that criminals used a third-party vendor's username and password to enter the perimeter of its network.
From there, hackers acquired "elevated rights" that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada, the company says. The malware used in the attack has not been seen in any prior attacks and was designed to evade detection by antivirus software, according to Home Depot.
Compromised E-Mail Addresses
In addition to obtaining the payment card data, hackers were able to steal separate files which contained the 53 million e-mail addresses. "These files did not contain passwords, payment card information or other sensitive personal information," Home Depot says.
The company is notifying affected customers in the U.S. and Canada. Home Depot is warning customers to be on guard against phishing scams.
New Security Measures
The company also has completed a major payment security project that provides enhanced encryption of payment data at the point of sale in the company's 1,977 U.S. stores.
The retailer's enhanced payment security is from Voltage Security. The encryption project, launched in January, was completed in all U.S. stores on Sept. 13. The project required writing tens of thousands of lines of new software code and deploying nearly 85,000 new PIN pads to stores, Home Depot says.
Rollout of enhanced encryption to 180 Canadian stores will be completed by early 2015, the company says. All Canadian stores are already equipped with EMV technology; U.S. stores will have EMV in place by the end of this year.
All individuals affected by the breach will receive free identity theft protection services, including credit monitoring, for one year, Home Depot says.
Home Depot estimates it will spend $62 million in fiscal 2014 for breach-related costs, including investigating the incident, providing credit monitoring services to its customers, increasing call center staffing, and paying legal and professional services. The company expects its insurance to cover about $26 million of that expense.