09/02/2014 Home Depot

As first reported by security researcher Brian Krebs multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

In an update by Krebs: several banks believe this breach may extend back to late April 2014 or early May 2014. The breach may include all 2,200 US Home Depot stores and perhaps the over 280 stores outside the U.S. including Canada, Guam, Mexico and Puerto Rico.

Again, the first notice of this breach was when an independent researcher saw the stolen information available for sale. There was no indication the compromised merchant knew about it before then.

An undated statement from Home Depot

9/03/2014 Zipcodes affected

Krebs provided a list of 1,822 affected zipcodes which included 00728 Ponce, PR on the southern coast of Puerto Rico to 99611 Kenai, AL in southern Alaska with 37076 Hermitage, TN in the middle. Krebs compared that to a list of all 1,932 Home Depot locations which included 00656 Guayanilla, PR, on the southern coast of Puerto Rico to 99801 Juneau, AK in southern Alaska with 37075 Hendersonville, TN in the middle.

Krebs noted: “Between those two lists of ZIP codes, there are 10 ZIP codes in Rescator’s card data that do not correspond to actual Home Depot stores.” He also cited Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) who sees a very strong correlation. “A 99+ percent overlap in ZIP codes strongly suggests that this source is from Home Depot”.

9/05/2014 52K+ compromised

A story from Portland’s WVSH 6 cited the Portland Press Herald’s analysis of the black market site and found that more than 52 thousand Maine card numbers are listed. They appear to come from all eleven Home Depot stores in Maine.

There is no specific attribution of where the 52 thousand numbers from Maine were listed. Was it from the cited site, or another site? Did it include only records from the Home Depot breach, or include others? An email sent to reporter J. Craig Anderson got a quick response, and on a Sunday too. The query was against the provided database which means it may have contained cards for sale from other breaches in addition to, or in place of, this breach. In 2013 Maine’s population was 1,328,302 people according to the US Census [ http://quickfacts.census.gov/qfd/states/23000.html ]. The same reference indicates the US has 316,128,839 making Maine about 0.42% of the population. If the Maine breach is a representative sample then the population of compromise is just over 12 million (52,000 / 0.0042 = 12,375,725) and that seems low.

9/07/2014 BlackPOS found

Some point of sale terminals were found infected with the new variant of the BlackPOS memory scraper malware. Here are details on BlackPOS. No new information from Home Depot.

9/08/2014 Home Depot Confirms Breach

In a press release Home Depot confirmed the breach, they are focusing on April 2014 forward, debit card PIN numbers may not have been compromised, no customer is liable for fraudulent charges, no-charge ID protection, including credit monitoring services, are being offered.

ATLANTA, September 8, 2014 — The Home Depot®, the world’s largest home improvement retailer, today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores. There is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com. While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised. Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware and protect customer data. The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on. Customers who wish to take advantage of these services can learn more at www.homedepot.com or by calling 1-800-HOMEDEPOT (800-466-3337). [ more at the press release]

9/18/2014 Malware in Self-Checkout Lanes

By being installed in fewer lanes the breach may be smaller than first thought, but still larger than the 52,000 cited on 9/5/2014 (see above). It may also be larger than the 12M from demographic analysis of Maine (also above). The information does not come from Home Depot, but from multiple sources on a conference call where MasterCard shared investigatory updates. Source

9/18/2014 56 million accounts compromised

Home Depot released a press release

The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards. The malware is believed to have been present between April and September 2014.

The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on. Customers who wish to take advantage of these services can learn more at www.homedepot.com or by calling 1-800-HOMEDEPOT (800-466-3337). Customers in Canada can call 800-668-2266. [ highlighting ours -ed ]

This challenges the previous sad record for most exposed financial accounts exposed in a single incident, the January 2007 TJX compromise which exposed 45.7 million (per TJX) or over 100 million according to other reports.

more from Krebs on Security

11/06/2014  53 million e-mail accounts compromised

In a press release today Home Depot reveals that, in addition to 56 million compromised payment cards, some 53 million email addresses were compromised. The information could be used in phishing attacks and consumers should be aware of any email purporting to be from any company that is requesting confidential consumer credentials via email.

12/03/2015  Possible settlement

Home Depot has reached a possible agreement (25 page PDF) with MasterCard International Inc. over the massive 2014 data breach. There is some anger from other banks because the agreement was disclosed on Monday November 30, 2015 and required responses in as little as two business days. Attorneys say in the court filing that “the communications suggest that Class members who do not participate in the Settlement will receive nothing, foregoing money that under MasterCard’s regulations they are entitled to receive without releasing their claims against Home Depot.” More …

7/23/2015  re settlement

Last night millions of people received e-mail about the settlement from the Home Depot breach almost two years ago. The same information is on line at http://HomeDepotBreachSettlement.com/.

If you used your card at Home Depot during the period you get credit monitoring [ yeah, lots of good that is going to do TWO YEARS LATER -ed ]. If you suffered a financial loss you might get compensation. There are two important dates:

    Final Approval Hearing: August 12, 2016 at 10:00 a.m.
    Claim Filing Deadline: October 29, 2016


Return to 2014 details page
Year links page
Return to References page