Elizabeth Weise, USATODAY
SAN FRANCISCO — A massive batch of credit and debit card information that went on sale on a criminal Internet site Tuesday may be from Home Depot stores and could be linked to hackers responsible for breaches at Target and P.F. Chang’s, security experts say.
The credit card information was offered for sale Tuesday on an underground site that traffics in stolen financial information, journalist Brian Krebs reported on his blog, Krebsonsecurity.com.
The breach could have begun in late April or early May of this year, Krebs reported.
If that is true, this incident could dwarf the Target breach, in which 40 million credit and debit accounts were compromised over a three-week period.
“This latest batch of cards is for sale from the same underground store that sold cards from P.F. Chang’s and Target,” said Trey Ford, a security strategist at Rapid7, a Boston-based computer security company.
Home Depot spokeswoman Paula Drake said she could only “confirm that we’re looking into some unusual activity, and we are working with our banking partners and law enforcement to investigate.”
The data put up for sale were labeled “American Sanctions.”
Krebs interpreted the name “as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine.”
Stolen information from cards issued by European banks that were used in Home Depot stores was sold separately and labeled “European Sanctions,” Krebs reported.
Drake said Home Depot takes protecting customers’ information extremely seriously. “We are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately,” she said.
The data for sale include information that would have come from the magnet strip on the back of credit and debit cards, Ford said. Based on that, “there is probably malicious software on the point of sale registers in the stores,” he said.
Credit card security breaches can cause companies significant losses. Target is still recovering from a massive data breach it suffered last holiday season in which 40 million card accounts and the personal information of up to an additional 70 million people were compromised.
In its latest earnings announcement last month, Target cut its annual profit outlook in part because of the breach, which has cost the retailer $146 million for the year. That’s after $90 million in insurance reimbursements.
The Department of Homeland Security said recently that more than 1,000 U.S. businesses have probably been infected with a recently discovered point-of-sale malicious software called “Backoff.”
The malware was first detected in October 2013 and was not recognized by antivirus software programs until last month, Homeland Security said.
Though it is not known whether the Home Depot breach involved the Backoff malware, these kinds of data problems are pervasive, said Avivah Litan, a computer security analyst with Gartner Research in Stamford, Conn.
The real trouble is not the companies but the credit card companies and banks that aren’t introducing stronger security, she said.
“They could simply encrypt the information right at the terminal. That would stop most of these attacks,” she said.
The next step is to begin using credit cards that include computer chips and require the use of a PIN, as is common in Europe, experts say.
“Similar attacks on merchants will likely continue until we remove the magnetic stripe from being the primary mechanism of data transfer in card-present transactions,” said Seth Ruden, a fraud consultant at banking payment company ACI Worldwide in Naples, Fla.
The Home Depot breach, like the others before it, should increase the pressure to migrate to “chip and PIN” cards and reinforce the need for “stepped-up security in payments, especially in the US, where we currently lag behind our peers,” he said.
Contributing: Hadley Malcolm
