Home Depot Confirms Extent of Breach
Sept. 22, 2014
On Thursday, Atlanta-based do-it-yourself hardware chain Home Depot confirmed that the data breach it acknowledged on Sept. 8, which was first reported by security blogger Brian Krebs on Sept. 2, exposed the information of 56 million unique payment cards, officially making it the largest retail card breach ever reported, according to multiple sources. The company also noted that the malware used in the attacks had never been identified before by its security consultants or law enforcement. The company maintains that no PIN information was compromised in the attack, but Krebs has reported bank sources are seeing high incidences of fraudulent debit cards being used to empty bank accounts. Speculation by security experts has posited that enough information has been collected in the breach that thieves are able to get new PINs issued for stolen debit cards via automated IVR systems with weak authentication methods.
While retail breaches are not directly a card-not-present problem, the reaction to them—accelerated implementation of EMV-compliant POS systems—could portend a spike in card-not-present fraud as criminals who can no longer use counterfeit cards to monetize their illegal information turn to e-commerce sites to do so. Part of Home Depot’s response on Thursday centered around the company’s EMV progress in the U.S. (it’s Canadian stores that were breached already have EMV terminals), which it said will be completed by the end of 2014, nearly a year ahead of the mandates set by Visa and MasterCard. But, to read what’s in store for e-commerce and other card-not-present merchants in a post-EMV world, check out our three-part series from earlier this year that examined how retail security breaches will affect your CNP business in the near and long term.