Russian hackers apply 'sanctions' by stealing credit card data from Home Depot

As if the data breach at the Target retail chain wasn’t bad enough, Home Depot might have just suffered an even bigger theft of customers’ credit card data… and it looks like the same gang of Russian hackers is responsible.  Daily Tech notes that the thieves chose a pithy way to advertise their alphanumeric loot on the black market:

According to intial reports the breach may involve the theft of over 40 million credit cards, stolen using point-of-sale (PoS) malware deployed across most of the retailer’s 2,200 U.S. stores.  Reportedly, the attack may eclipse the shocking data breach that occurred at Target Corp. (TGT) over the 2013 holiday season.

Security researcher Brian Krebs caught wind of the hack when a massive batch of millions of stolen credit cards was offered up for sale on cybercrime hub rescator[dot]cc.  The cards were posted under the headings “U.S. Sanctions” and “European Sanctions”, titles that suggest that these cybercriminals are looking to legitimize their efforts as a retaliation against the U.S. and European governments for their sanctions against Russia over its involvement in eastern Ukraine.  

The “U.S. Sanctions” heading contains data on cards issued by American banks, while the “European Sanctions” heading has European bank-issued credit card data.

Home Depot and its financial partners are still investigating the scope of the data breach, which was discovered when bank investigators discovered the trove of stolen credit card data for sale and traced its origins back to the home-improvement giant.  Home Depot issued a formal statement on Tuesday: “Protecting our customers??? information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further, but we will provide further information as soon as possible.”

The New York Times lists some other suspected victims of the Russian hacking ring:

If a breach is confirmed, Home Depot will be the latest target in a recent string of hacking attacks against major companies, after Target, Neiman Marcus, Michaels, Sally Beauty, P. F. Chang???s and UPS. Those companies said criminals had installed malicious software on their systems that siphoned customers??? payment information. The hackers who broke into the systems are believed to belong to the same crime ring in Eastern Europe.

The number of customers affected by the breaches amounts to more than one-third of the American population.

In July, the Homeland Security Department and the Secret Service issued a report warning retailers to check their in-store cash register systems for a set of malware that could evade detection of antivirus products. The Secret Service estimated that over 1,000 businesses had been infected by the software, which security researchers called Backoff.

A glum assessment of the fallout for Home Depot at Forbes notes that security analyst Brian Krebs, who first reported the attack, “has never been wrong before,” so the odds that the data theft matches these early estimates of its enormous size are high.  If that’s the case, analysts venture that it could knock up to 7 cents off the price of Home Depot stock, based on what happened to Target.  Customers with Home Depot accounts are advised by Credit Sesame security analyst Neal O’Farrell to take some basic steps to protect themselves:

O???Farrell recommends consumers use the breach as ???an earthquake drill??? and go through the ???security routines you???ve been putting off.??? Check your financial statements, change your passwords, get credit monitoring and identity protection (O???Farrell???s employer Credit Sesame offers both for free).

???Don???t panic,??? says O???Farrell. ???Use this as a security exercise but demand that Home Depot say more and not less. If at some point you want to forgive Home Depot they need to earn the forgiveness by being brutally honest about what happened and when.???

As for precautions retailers can take to protect themselves, the Department of Homeland Security issued some recommendations when it warned about the malware infestation of cash registers mentioned in that New York Times piece above.  The ancient magnetic-stripe technology used on current credit cards was cited as a significant problem, so a shift to chip-based “smart cards” will likely take place over the next couple of years, at a significant cost to retailers.  Some of the other recommendations are steps it’s rather surprising big companies haven’t already taken, such as separating point-of-sale cash registers from the main corporate networks, enhancing the strength of passwords, encrypting data more heavily as it moves between systems inside the store, and watching store networks for weird network activity (such as outbound data packets heading for Eastern Europe or Russia.)

Enhanced employee awareness training should also be on the menu, as Neal O’Farrell noted in his remarks to Forbes: “If the attack was the same as Target ??? nothing more advanced than just tricking an employee into opening a phishing email, then we have a much bigger problem.  There???s nothing advanced or sophisticated about that kind of attack, and it???s a warning that even the most basic of security ??? employee awareness ??? is not in place.”