By Matt Townsend and Chris Strohm
Sept. 3 — Home Depot Inc.’s investigation of a suspected hacker attack is renewing pressure on retailers and credit card providers to strengthen payment-system security.
The largest home improvement chain said Sept. 2 that it was working with banks and law enforcement on the possible incursion, following a report by KrebsOnSecurity that a “massive” batch of stolen credit and debit card information was posted for sale online.
The probe comes a week after JPMorgan Chase & Co. and at least four other banks were targeted by hackers in a coordinated attack. Celebrities relying on Apple Inc.’s iCloud service to store photos also had nude pictures stolen and posted online in recent days, showing that both corporations and individuals need to tighten security practices. Target Corp., Supervalu Inc. and Neiman Marcus Group Ltd. are among retail chains that have recently endured attacks.
“The criminals are getting smarter and faster than the companies,” said Jaime Katz, an analyst at Morningstar Inc. in Chicago. If the Home Depot breach is on the same scale as Target’s incident last year, “there is obviously significant concern,” she said.
Home Depot shares fell 2 percent to $91.15 Sept. 2, marking the largest one-day decline in almost five months, after the company said it was looking into the possible breach. It also prompted credit card companies such as Citigroup Inc. to step up efforts to protect customers. The National Association of Federal Credit Unions has called on Congress to act in light of the breach.
The incident raises fresh questions about retailers’ slow adoption of “chip and PIN” technology, which makes cards more secure, said Michael Sutton, vice president of security research for San Jose, California-based cloud-computing company Zscaler Inc.
“Retailers are now seeing firsthand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach,” Sutton said.
Some U.S. companies have fallen behind schedule in updating their systems with the technology, also known as EMV—short for Europay-MasterCard-Visa, the companies that first backed the approach. Credit card networks have set an October 2015 deadline for most U.S. merchants to upgrade their payment systems.
EMV is considered more secure because it’s harder to copy account numbers and security codes from chips than from the magnetic strips on most cards used in the U.S. EMV cards create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards.
“The technology has not been widely adopted in the U.S., primarily due to lobbying by retailers who were concerned about the cost of implementing the technology,” Sutton said.
Brian Krebs, the independent journalist who uncovered the hacker attack at Target last year, said Sept. 2 that there’s evidence that the latest stolen credit card data is linked to Home Depot stores.
Target, the Minneapolis-based chain, has shown how devastating a data breach can be to a retailer. Hackers struck the company last year during the height of the holiday shopping season, tarnishing its reputation and hampering sales. Target’s slow reaction to the incident also drew criticism from lawmakers, and the company ousted its chief executive officer in May. Brian Cornell, a former PepsiCo Inc. executive who took the helm at Target last month, is now working to pick up the pieces.
An investigation by Bloomberg Businessweek found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers—along with 70 million addresses, phone numbers and other pieces of personal information.
In Home Depot’s case, the suspected breach may have occurred in late April or early May, and could encompass all 2,200 of the company’s stores in the U.S., Krebs said. That means it could be larger than the Target incident, he said.
The attack also may have been performed by the same group of hackers that infiltrated Target, possibly as retribution for the U.S. and Europe placing sanctions on Russia, Krebs said. Stolen cards were marketed on a website by the hackers as being “European Sanctions” and “American Sanctions,” he said.
Paula Drake, a spokeswoman for Atlanta-based Home Depot, said Sept. 2 that the company hadn’t yet established that a breach had occurred.
“We’re looking into some unusual activity,” she said. “We are aggressively gathering facts at this point while working to protect customers.”
The company also posted a note to shoppers on its website, urging them to monitor their accounts and report any suspicious activity.
“If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers,” the company said. “We’re working hard to get you the information you need as quickly as possible and will continue to provide updates as we learn more.”
Citigroup, the third-biggest credit card issuer in the U.S., said it’s escalating prevention and detection efforts in the wake of the investigation.
“We are actively monitoring accounts, and if we see suspicious activity we will take appropriate actions, which may include reissuing cards for customers,” Janis Tarter, a spokeswoman for the New York-based bank, said in an e-mailed statement. “We want our customers to know that, consistent with legal requirements, they are not liable for any unauthorized use of their accounts.”
Trish Wexler at JPMorgan, the biggest U.S. credit card lender, had no immediate comment.
Other chains have suffered hacker attacks in recent months, including the supermarket company Supervalu and the Asian-themed eatery P.F. Chang’s China Bistro Inc.
Apple, meanwhile, is coping with the fallout from the theft of photos from its iCloud online storage service. Apple said Sept. 2 that the pictures were stolen individually via targeted attacks and it didn’t suffer a data breach. Nude photos of celebrities such as Jennifer Lawrence were posted online as a result of the intrusion.
The hackers who targeted Home Depot probably took their time to retrieve the data without detection, said Trey Ford, global security strategist for Boston-based software security company Rapid7 LLC.
“They are efficient, they are focused, and they manage their risk and exposure the same way a businessperson would,” he said. “It’s kind of a slow game of cat and mouse.”
In most cases, retailers haven’t detected the data breaches themselves. Credit card companies and law enforcement have uncovered them after seeing suspicious transactions, weeks or months after the information is first stolen, said Zscaler’s Sutton. That shows retailers have a long way to go to improve their security, he said.
“It is concerning that gigabytes of credit card data can be siphoned from hundreds of retails stores each day for months and ultimately be sent to attackers in Eastern Europe without alarms being raised or reacted to,” Sutton said.
To contact the reporters on this story: Matt Townsend in New York at email@example.com; Chris Strohm in Washington at firstname.lastname@example.org
To contact the editors responsible for this story: Nick Turner at email@example.com; Elizabeth Wasserman at firstname.lastname@example.org
©2014 Bloomberg L.P. All rights reserved. Used with permission.
To view additional stories from Corporate Law & Accountability Report register for a free trial now