By Matt Townsend and Chris Strohm
Sept. 3 — Home Depot Inc.’s investigation of a suspected hacker attack is renewing pressure on retailers and credit card providers to strengthen payment-system security.
The largest home improvement chain said Sept. 2 that it was working with banks and law enforcement on the possible incursion, following a report by KrebsOnSecurity that a “massive” batch of stolen credit and debit card information was posted for sale online.
The probe comes a week after JPMorgan Chase & Co. and at least four other banks were targeted by hackers in a coordinated attack. Celebrities relying on Apple Inc.’s iCloud service to store photos also had nude pictures stolen and posted online in recent days, showing that both corporations and individuals need to tighten security practices. Target Corp., Supervalu Inc. and Neiman Marcus Group Ltd. are among retail chains that have recently endured attacks.
“The criminals are getting smarter and faster than the companies,” said Jaime Katz, an analyst at Morningstar Inc. in Chicago. If the Home Depot breach is on the same scale as Target’s incident last year, “there is obviously significant concern,” she said.
Home Depot shares fell 2 percent to $91.15 Sept. 2, marking the largest one-day decline in almost five months, after the company said it was looking into the possible breach. It also prompted credit card companies such as Citigroup Inc. to step up efforts to protect customers. The National Association of Federal Credit Unions has called on Congress to act in light of the breach.
The incident raises fresh questions about retailers’ slow adoption of “chip and PIN” technology, which makes cards more secure, said Michael Sutton, vice president of security research for San Jose, California-based cloud-computing company Zscaler Inc.
“Retailers are now seeing firsthand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach,” Sutton said.
Some U.S. companies have fallen behind schedule in updating their systems with the technology, also known as EMV—short for Europay-MasterCard-Visa, the companies that first backed the approach. Credit card networks have set an October 2015 deadline for most U.S. merchants to upgrade their payment systems.
EMV is considered more secure because it’s harder to copy account numbers and security codes from chips than from the magnetic strips on most cards used in the U.S. EMV cards create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards.
“The technology has not been widely adopted in the U.S., primarily due to lobbying by retailers who were concerned about the cost of implementing the technology,” Sutton said.
Brian Krebs, the independent journalist who uncovered the hacker attack at Target last year, said Sept. 2 that there’s evidence that the latest stolen credit card data is linked to Home Depot stores.
Target, the Minneapolis-based chain, has shown how devastating a data breach can be to a retailer. Hackers struck the company last year during the height of the holiday shopping season, tarnishing its reputation and hampering sales. Target’s slow reaction to the incident also drew criticism from lawmakers, and the company ousted its chief executive officer in May. Brian Cornell, a former PepsiCo Inc. executive who took the helm at Target last month, is now working to pick up the pieces.
An investigation by Bloomberg Businessweek found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers—along with 70 million addresses, phone numbers and other pieces of personal information.
In Home Depot’s case, the suspected breach may have occurred in late April or early May, and could encompass all 2,200 of the company’s stores in the U.S., Krebs said. That means it could be larger than the Target incident, he said.
The attack also may have been performed by the same group of hackers that infiltrated Target, possibly as retribution for the U.S. and Europe placing sanctions on Russia, Krebs said. Stolen cards were marketed on a website by the hackers as being “European Sanctions” and “American Sanctions,” he said.
Paula Drake, a spokeswoman for Atlanta-based Home Depot, said Sept. 2 that the company hadn’t yet established that a breach had occurred.
“We’re looking into some unusual activity,” she said. “We are aggressively gathering facts at this point while working to protect customers.”
The company also posted a note to shoppers on its website, urging them to monitor their accounts and report any suspicious activity.
“If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers,” the company said. “We’re working hard to get you the information you need as quickly as possible and will continue to provide updates as we learn more.”
Citigroup, the third-biggest credit card issuer in the U.S., said it’s escalating prevention and detection efforts in the wake of the investigation.
“We are actively monitoring accounts, and if we see suspicious activity we will take appropriate actions, which may include reissuing cards for customers,” Janis Tarter, a spokeswoman for the New York-based bank, said in an e-mailed statement. “We want our customers to know that, consistent with legal requirements, they are not liable for any unauthorized use of their accounts.”
Trish Wexler at JPMorgan, the biggest U.S. credit card lender, had no immediate comment.
Other chains have suffered hacker attacks in recent months, including the supermarket company Supervalu and the Asian-themed eatery P.F. Chang’s China Bistro Inc.
Apple, meanwhile, is coping with the fallout from the theft of photos from its iCloud online storage service. Apple said Sept. 2 that the pictures were stolen individually via targeted attacks and it didn’t suffer a data breach. Nude photos of celebrities such as Jennifer Lawrence were posted online as a result of the intrusion.
The hackers who targeted Home Depot probably took their time to retrieve the data without detection, said Trey Ford, global security strategist for Boston-based software security company Rapid7 LLC.
“They are efficient, they are focused, and they manage their risk and exposure the same way a businessperson would,” he said. “It’s kind of a slow game of cat and mouse.”
In most cases, retailers haven’t detected the data breaches themselves. Credit card companies and law enforcement have uncovered them after seeing suspicious transactions, weeks or months after the information is first stolen, said Zscaler’s Sutton. That shows retailers have a long way to go to improve their security, he said.
“It is concerning that gigabytes of credit card data can be siphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to,” Sutton said.
©2014 Bloomberg L.P. All rights reserved. Used with permission.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).