News Feature | September 10, 2014

Home Depot Could Be Latest "Backoff" POS Malware Victim

Source: Innovative Retail Technologies
Christine Kern

By Christine Kern, contributing writer

Retailer Continues to Investigate Details and Scope of Attack

A TechTarget article says there is evidence that supports the conclusion of a data breach at Home Depot, and it could have affected nearly all locations across the U.S. over several months. There is speculation the cause could be Backoff malware that targets POS systems.

According to investigative security journalist Brian Krebs, an analysis of more than 3,000 payment cards available on rescator.cc -- the online shop that sold cards gathered from breaches at Target, P.F. Chang's and others -- shows a 99.4 percent overlap between the ZIP codes of the cards and Home Depot U.S. locations. Krebs said on his site that only 10 ZIP codes attached to the cards available on Rescator don't match Home Depot stores.

A statement on the company's website said that it is "looking into some unusual activity," and spokesperson Paula Drake has also elaborated in press conferences that the company has hired security firms Symantec Corp. and FishNet Security to help investigate the breach.

"Our forensics and security teams have been working around the clock," Drake said in a media statement. "In the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges."

The incident may have begun in late April or early May, potentially giving attackers an approximate four month window in which to steal data from 2,200 U.S.-based stores.

In comparison, the Target breach that resulted in the compromise of some 40 million payment cards reportedly only occurred during a three-week period last year and affected just under 1,800 stores. That breach played a role in a string of bad financials results for the company, including $146 million in breach-related expenses outside of insurance coverage, and culminated in the ousting of Target CEO Gregg Steinhafel and other long-time executives. Stifel Nicolaus analyst David Schick told The Wall Street Journal that a Target-esque breach at Home Depot could cost the home improvement retailer seven cents a share this year.

The home-improvement chain said it is intensively investigating a data breach and said safer chip card technology will be activated by year’s end.

Home Depot  is sparing no efforts to find out whether a credit and debit card breach took place at the do-it-yourself retailer, its CEO Frank Blake said. “The most important thing for us is making sure that our customers feel comfortable shopping at The Home Depot, and that’s going to be our guiding principle,” said Blake, who announced his upcoming resignation before the possible breach came to light.

A class action lawsuit has been filed in U.S. District Court in the Northern District of Georgia against The Home Depot over the potential data breach the home improvement giant has been investigating this week. In the lawsuit filed September 4, Home Depot customers allege that the retailer failed to protect customers’ credit card and personal information and did not warn consumers in a timely manner.

The legal action claims the company was hacked in early April or late May, but did not acknowledge the potential security breach until Krebs’ report.

The lawsuit seeks injunctive relief and damages.