If you shop at Home Depot, then today's blog post is for you. On November 6, 2014, Home Deport disclosed more details about its data breach investigation. Criminals gained access to the retailer's computer network by using a third-party vendor's credentials (e.g., user name and password), and:
"These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada... separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information."
The announcement did not explain how the criminals gained "elevated rights" with the stolen credentials. Home Depot did not disclose the name of the third-party vendor.
In a prior September 8, 2014 press release (Adobe PDF, 188.4K), the retailer confirmed the breach affecting shoppers who used credit cards in its stores during April to September of 2014. The retailer began its breach investigation on September 2 after several banks and law enforcement agencies notified it of a possible breach. Also on September 8, the retailer offered affected shoppers free credit monitoring services. To learn more about these services, interested shoppers should visit the Home Depot website or call in the USA 1-800-HOMEDEPOT (800-466-3337). Shoppers in Canada should call 800-668-2266.
In its latest announcement, Home Depot said it is notifying affected shoppers in the United States and Canada. The stolen e-mail data means that affected shoppers should also be on alert for phishing e-mail scams designed to trick consumers to reveal their sensitive personal and financial information.
How should consumers view the Home Depot's breach?
53 million affected shoppers is a massive breach. If your credit card payment information has been stolen, the hackers will likely sell the stolen information to other criminals who will then try to use the stolen information to make purchases and/or take out new loans fraudulently. This is what identity criminals do. So, it's wise to seriously consider the retailer's offer of free credit monitoring services.
As things progress, we will probably hear more details about its breach investigation. In its latest announcement, Home Depot did not disclose how many shoppers experienced both stolen e-mails and stolen credit card payment information. This overlap is important. If the overlap was 100 percent, then that says something very different than an overlap of 5 percent. If the overlap was concentrated in certain stores or states, then that says someting else. To feel comfortable about shopping at Home Depot, shoppers deserve an explanation of both the overlap and how the related security holes are being fixed.
Back in September, Home Depot took the opportunity in its breach announcement to also announce the upcoming availability of its smart loyalty cards with EMV chips embedded. It seems that the retailer hopes that its smart loyalty cards will help make shoppers feel comfortable. So, we'll probably hear more about its smart cards during the coming weeks. However, smart cards alone do not make a secure computer network and purchase transactions.
While consumers may not focus upon the "elevated rights" statement in Home Depot's latest announcement, you can bet that data security experts, banks, and other retailers are watching closely. Why? eWeek provided an interesting analysis:
"That's the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage... Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware that has impacted 1,000 retailers. What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn't just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that's one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake."
EMV chips won't fix these four failures. Free credit monitoring services won't fix these four failures. The retailer needs to improve its computer systems end-to-end, as the eWeek analysis suggested. What are your opinions of the breach? Of Home Depot's breach investigation? Of the eWeek analysis?