Home office reveals the extent of the data breach and prompts calls for mandatory data breach notification at Federal level

November 8, 2014 |

Home Depot previously announced that it lost 56 million payment card details in a data breach (see my post on 24 September here).  It has now announced that the data breach also involved the theft of 53 email addresses. Home Depot made the announcement on its website, stating:

Customer update on data breach

Today, we are providing an update on the investigation into the breach of our payment data systems. Our investigation to date has determined the hackers stole separate files containing email addresses, in addition to the payment card data we announced in September that may have been compromised.

The files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information. As we reported on Sept. 18, the method of entry used by the hackers has been closed and the malware eliminated from our systems. 

We are making every effort to notify any customer whose email address was taken. 

In all likelihood this will not impact you. But, as always, it’s important to be on guard against phishing scams that are designed to trick you to provide personal information in response to phony emails. It is important not to give out personal information on the phone, through the mail or on the Internet, unless you have initiated the contact and are sure of who you’re dealing with. Similarly, you should not click directly on any email links if you have any doubts about whether the email comes from a legitimate source.

Additional information about how to avoid phishing scams is available by typing https://www.onguardonline.gov/articles/0003-phishing into your web browser.

We want to emphasize that you will not be liable for any fraudulent charges to your accounts and we’re offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.

You can learn more about the identity protection services and how to sign up for them by typing https://homedepot.allclearid.com into your web browser.

As always, it is also important to closely monitor your payment card accounts and to report unusual activity to your issuing bank.

We apologize for the frustration and inconvenience this breach may have caused. 

Reuter reports on the statement in Home Depot says about 53 million email addresses stolen in breach  which provides:

Home Depot Inc (HD.N), the world’s largest home improvement chain, said about 53 million email addresses were stolen during a recent breach of its payment data systems, in addition to some 56 million payment cards previously disclosed by the retailer.

The company, which confirmed the theft in September, said the stolen files that contained the email addresses did not include passwords, payment card information or other sensitive personal information.

Home Depot, which had estimated that the breach would cost about $62 million, was one of a string of U.S. retailers attacked by hackers over the past year.

Criminals used a third-party vendor’s user name and password to enter the perimeter of its network, Home Depot said in a statement on Thursday.

The hackers then acquired “elevated rights” that allowed them to navigate parts of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada, according to the company.

Home Depot said the stolen credentials did not alone provide direct access to the company’s point-of-sale devices.

Since September, the company has implemented enhanced encryption of payment data in all U.S. stores and said the rollout to Canadian stores will be completed by early 2015.

This, however, was “really lipstick on a pig” and the proper solution was to add chips and PINs, or EMV technology, to U.S. credit cards, said David Campbell, chief security officer at SendGrid, a cloud-based email delivery service.

Home Depot said it was already rolling out the EMV technology.

The company reaffirmed its 2014 sales growth forecast of about 4.8 percent and earnings per share forecast of $4.54.

The forecast includes estimates for the cost to investigate the data breach, provide credit monitoring services to its customers as well as legal fees, the company said.

The company maintained that it has not yet estimated the impact of “probable losses” related to the breach.

“Those costs may have a material adverse effect on The Home Depot’s financial results in the fourth quarter of fiscal 2014 and/or future periods,” the company said.

Home Depot shares closed up 1.6 percent at $97.29 per share on Thursday on the New York Stock Exchange.

Target Corp’s (TGT.N) unprecedented breach saw hackers steal at least 40 million payment card numbers and 70 million other pieces of customer data in 2013.

The Final Merchant Group has written to key Congressional leaders calling for comprehensive data breach notification laws.  Interestingly Australia is far back in the pack on data breach notification.  Most American states have data breach notification laws.




Leave a Reply

Verified by MonsterInsights