Will Home Depot top Target for most data stolen?
By Byron Acohido
Could Home Depot surpass Target and become the retailer known for losing the most customer records to hackers?
Target ultimately admitted to losing sensitive data for some 110 million customers. Home Depot, which made headlines this week for becoming the latest marquee retailer hit by hackers, could yet top that number. Consider these factors:
Duration of hack. The Home Depot breach became public only after cybersecurity blogger Brian Krebs disclosed that banks had traced large batches of stolen account numbers appearing for sale in the cyber underground back to the home improvement chain.
That suggests the hacking group had been pulling out data, undetected, for a long period of time, perhaps as early as April, observes Patrick Thomas, security consultant at Neohapsis, a security and risk management consulting company.
“Historically, when organizations learn of their own compromise by reports from unrelated third parties it means that the intrusion has been ongoing for months,” Thomas says.
Type of hack. Multiple sources are reporting that the Home Depot hackers used a variant of the Backoff malware used to crack into the point of sale registers and data storing servers at the P.F. Chang bistro chain. And Backoff itself is a variant of the POS malware used to infiltrate Target’s systems in late 2013.
The P.F. Chang and Target breaches have been attributed to a hacking group based in Russia, known for using distinctive technologies for scraping Random Access Memory drives and evading antivirus detection. This group has also been selling data stolen from large retailers labeled as “American Sanctions” and “European Sanctions,” says Itsik Hazan, marketing vice president at SentinelOne a supplier of endpoint threat detection and response software.
“This seems to indicate that this was an act of retaliation against the U.S. and Europe for the economic sanctions placed on Russia in response to its actions in the Ukraine,” says Hazan. “If this is in fact a nation-state sponsored attack, it clearly raises the stakes for commercial organizations to urgently reform their security practices.”
Size of the retail chain. At the moment it is not clear how many Home Depot stores were affected. There are 2,200 Home Depot stores in the United States and 287 more in Canada, Guam, Mexico and Puerto Rico. Target has 1,795 stores in the United States 130 in Canada. Krebs is reporting that the Home Depot breach “could be many times larger than Target,” which ultimately reported losing data files for 70 million customers and credit card records for 40 million customers.
“Home Depot feels like deja vu in the wake of Target’s massive breach,” says Eric Chiu, president at cloud security company HyTrust. “This should be another major wake up call to every company, especially given the connected world we live in. Concentrated data centers are gold mines for attackers.”
Security experts say there is not much individual consumers can do to stop sophisticated hacks designed to crack internal store systems.
“With the demands of technology ever growing and the ease of use for the customer becoming more and more important, the risk of hackers and malware to the storefront continues to rise,” says Adam Kujawa, director of intelligence at antimalware company Malwarebytes.