The Home Depot hack: How, why and what we can learn

Another retailer suffers a cyberattack

Home Depot hack

On September 8 Home Depot confirmed that it had joined the growing ranks of American companies targeted by a cyber-attack - and that the customer data of approximately 56 million users had been compromised.

These hacks are nothing new, with high-profile retailers like Target, Neimen Marcus and Victoria's Secret falling victim to cyber-attacks in the past year. In addition to retailers, organizations that customers generally assume to operate with the highest levels of security protocols - like JP Morgan Chase - have been subject to their own cyber-attacks.

But the world's largest home-improvement retailer, with 1,977 stores in the United States and 180 in Canada, can now also lay claim to the dubious honor of being the company responsible for allowing one of the largest-ever data breaches on record.

What happened? Home Depot gets a visit from DIY cyber-criminals:

Using custom-built malware to avoid detection, cyber-criminals were able to lift the names, credit card numbers, expiration dates, cardholder verification values and service codes for approximately 56 million customers who made purchases in Home Depot stores between April and September of 2014. Stores in Mexico, online shoppers to both HomeDepot.com and HomeDepot.ca, and customers who paid in store by check were not affected by the malware. Personal identification numbers were also not found to have been compromised.

The company claims that it was alerted to a potential breach the morning of September 2 by law enforcement officials and banking partners who had noticed unusual activity connected to the company's payment systems. The company confirmed the possibility of a breach later that day - hours after investigative reporter Brian Krebs broke the story of the potential breach on his blog. An investigation confirmed that the systems had in fact been compromised - something Krebs had noted was likely after an underground cybercrime outlet dumped a massive number of stolen credit cards on the market that appeared to be linked to zip codes where Home Depot stores were located.

The malware was eventually removed ten days later and it appeared to be unlike any other used in previous attacks, according to the various security partners involved in the investigation.

What makes this hack interesting? A one-stop shop for the latest in criminal activity:

  • Credit monitoring and fraud protection
  • The CEO public apology and taking responsibility
  • New security measures
  • A criminal investigation

In a surprise twist, it appears the cyber-attack on Home Depot may have been politically motivated and not just a means-to-an-end-theft, although the investigation is ongoing. Krebs has noted that those responsible for the Home Depot hack may have been protesting the US and European sanctions against Russia for its aggression against Ukraine - the stolen batches of credit cards were named "American Sanctions" and "European Sanctions."

Supporting this theory is that Western sanctions against Russia were enacted around mid-March and the malware is reported to have been active since April.

As political activism moves increasingly online with collectives like Anonymous rallying around various causes, these sophisticated, politically-motivated attacks by international cyber-criminals could herald a new era of cyber-crime that goes beyond just identity theft.

What's Home Depot doing to address the breach?

Like other retailers such as Target that were hit with similar breaches, Home Depot is offering free identity protection, including credit monitoring for one year to all customers who may have been affected. Customers aren't held responsible for any fraudulent charges, and the company advises any customer who believes they have been subject to a fraudulent charge to contact their fraud resolution services.

CEO Frank Blake apologized on behalf of the company to Home Depot customers in a press release saying the company regrets "the inconvenience and anxiety this [hack] has caused" while reassuring customers they would not be held liable for any fraudulent charges.

In addition to addressing the direct fallout of the breach by helping the customers affected, Home Depot says it has now fixed the issue that led to the hack. It has also enhanced its payment encryption for US stores via a new security initiative provided by Voltage Security Inc. Canadian stores (which already use the more secure "Chip and PIN" technology being rolled out to US stores by the end of the year) will have to wait until early 2015 for their enhanced encryption. Home Depot states that this "major payment security project," which takes payment information and scrambles it to render the information useless to hackers, will offer significant new protection for its customers.