Security analysts say the damage with Home Depot’s recent data breach may be even more widespread than Target’s, and it may affect more customers. In fact, some news reports are pondering if this could be one of the largest breaches in history.
A Home Depot spokesperson told cyber security expert Brian Kreb:
“Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
The similarities to the Target attack are too important to ignore, according to some cybersecurity experts. The credit card numbers stolen from Home Depot’s system have already appeared for sale on the same website where hackers sold Target customers’ information, rescator.cc. These recent numbers were discovered after multiple high-volume batches of stolen card numbers were uploaded to the site on September 2.
And in an official statement, Home Depot apologized for the “frustration and anxiety” this causes customers:
“We want you to know that we have now confirmed that those systems have in fact been breached, which could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward.”
What really has industry watchers concerned, however, is the nature of how the Target breach—and likely the Home Depot breach—was pulled off.
Essentially, experts believe it’s possible that in both cases the same method of breaking into the credit card payment systems was used, a method that installs harmful software that works its way around the network, gathering up personal information.
If these two breaches were pulled off in the same way, it points to a much larger problem in the retail industry: lack of adequate employee training and ineffective safeguards over corporate computer systems.
Malware, Phishing Emails to Blame?
The software that caused the Target breach was likely activated when an employee opened a “phishing” email and clicked on a link. This link downloaded the harmful software to the computer, which then spread to the network. While there’s no word on what this phishing email said, these emails often are intended to spark the reader’s curiosity or promise something outrageous so that the recipient will fall for it.
Even worse, the third-party contracting company where that employee worked didn’t have adequate malware blocking protection, instead relying on a free download to protect Target’s computer system.
If the Home Depot attack was pulled off with the same kind of malware infection, introduced into their computer system by an employee who wasn’t properly trained on not opening suspicious emails, it speaks to a lack of awareness of security protocols. That has identity theft experts very worried.
While Home Depot is posting cautious updates about the situation, it has already promised a full investigation, full coverage for any fraudulent charges, and credit monitoring services for affected customers. At the same time, analysts are cautioning retail companies that their employees must be more intensely trained to prevent them from opening the door to identity thieves.
What can you do?
Consumers will need to take the usual steps in the event that their card numbers were accessed: monitoring their financial statements and credit reports, reporting any suspicious activity, and possibly placing alerts or freezes on their credit reports to prevent new lines of credit from being opened.
However, this recent attack can also serve as a wake-up call to retailers. Company executives must ensure that their employees are properly educated on safe email practices, and can use this time to make sure their anti-virus and anti-malware security subscriptions are capable and up-to-date.