Shoppers at Home Depot stores may have had their credit card security details leaked online, after a massive batch of card information went on sale on a criminal internet site this week, according to veteran security writer Brian Krebs, who reported the possible breach on his Krebs on Security website. Krebs claims the breach may be the biggest yet seen.
The credit card security breach could have begun as early as April or early May of this year, and may be linked to hackers responsible for the breaches at Target and P.F. Changs, according to Krebs. Separate batches of debit and credit card details from European and American shoppers have been offered for sale on a criminal website this week.
U.S.A. Today reports that the breach could dwarf even the Target Breach, in which 40 million debit and credit accounts were compromised.
Fox Business News reported that Home Depot has, as yet, not confirmed the scale of the breach.
“Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately,” spokesperson Paula Drake said in a statement.
The card data were offered for sale under the title, “American Sanctions,” which Krebs interpreted as related to the ongoing conflict in the Ukraine. Stolen information from European cards which had been used in the stores were sold separately as “European Sanctions,” Krebs reported.
Home Depot shares dropped 2.6% at the news, Fox Business reported.
Krebs’ spoke to several banks, and his latest update hints that this breach could be the biggest yet seen. “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period,” he says.
Mark James, security specialist at ESET says, “The news of another credit card hack is not surprising – but is no less worrying. It seems that no company is safe and if you have EVER used a credit card to purchase goods then you may be at risk.”
“It is thought the original team that targeted P.F.Chang’s and Target are also the perpetrators here, and due to the amount of data that has been stolen it stands to reason it will be used or released in batches over time.”
ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”
ESET’s James says, “Nothing can be done about the data already stolen, but we could take some actions to lessen the impact of compromised credit cards. Don’t just have a single credit for all uses: for instance, separate your physical purchases (in store) and your online purchases by using different credit cards for each.”
“At least that way if one gets lost or stolen it’s not so much of an impact to get it stopped and replaced, also it’s always good practice to keep an eye on your credit statement for small or unusual payments, often small (under the radar) amounts are processed to test if the cards are valid. If they go through then larger amounts will follow.”
“If you spot something unusual notify your bank immediately. As always, it’s imperative the organization in question notifies all parties involved in any security breach so we the public can take action quickly.”
Author Rob Waugh, We Live Security