Massive data breach at US retailer worse than first thought, with 53 million email addresses also compromised
The bad news continues for American retailer Home Depot, which has confirmed that 53 million email addresses belonging to its customers have been stolen by hackers.
This is on top of the 56 million compromised credit-card accounts after the firm admitted in September that hackers had gained access to its payment systems, in what is now looking like the largest ever data breach in history.
The breach at Home Depot was only discovered in September, but it is thought that the hackers had access to the payment system since April, meaning they had five months to gather credit-card, debt-card and other details about the retailer’s customers.
Now the company has officially confirmed that 53 email addresses have also been compromised, but that it did not include passwords or other sensitive personal information. However, email addresses can be used to trick others into handing over sensitive information.
“Criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network,” said the Atlanta-based company in a statement. “These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada.”
It said that “customers should be on guard against phishing scams, designed to trick them into providing personal information in response to phony emails.” It said it has now closed off the hackers method of entry.
“Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony e-mails,” the Atlanta-based company said.
It seems that whilst Home Depot did have data security measures, but reacted too slowly to the nature of the attack. According to the Wall Street Journal, which cited people briefed on the investigation, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network by exploiting a vulnerability in Microsoft’s Windows operating system.
Microsoft however issued a patch after the breach began, and whilst Home Depot installed it, the patch came too late, and the hackers were still able to move throughout Home Depot’s systems and to its point-of-sale systems as if they were Home Depot staff with high-level permissions.
Home Depot said that it has now implemented enhanced encryption of payment data in all US stores, to fully protect payment card data. It is also rolling out EMV chip-and-PIN technology.
The Home Depot breach could end up being the largest ever data breach in history.
It comes after the massive breach of retail chain Target last year, which has been the largest to date, as it affected about 40 million people. However, that breach occurred over a three week period, while the Home Depot compromise lasted as long as five months, and has compromised nearly double the amount of customer records.
In August, the US Computer Emergency Readiness Team (US-CERT) warned that the point-of-sale systems of about 1,000 retailers had been compromised by the “Backoff” malware, linked to a criminal gang in Eastern Europe.
Are you a security pro? Try our quiz!