Home Depot provides update on data breach investigation


Home improvement retailer The Home Depot, which revealed in September that its payment data systems had been breached, has disclosed additional information related to the company’s recent hacking incident. The findings are the result of investigations in cooperation with law enforcement and third-party IT security experts.

The big revelation in the latest update is that, in addition to credit card data, the hackers got access to separate files containing 53 million email addresses. Home Depot says the files did not contain passwords, payment card information or other sensitive personal data, but it warned customers to be on the lookout for possible phishing scams.

The company says cyber criminals used a third-party vendor’s user name and password to enter Home Depot’s network; however, those stolen credentials alone did not provide direct access to the company’s point-of-sale devices. Instead, the hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy “unique, custom-built malware” on its self-checkout systems in the U.S. and Canada.

The company reiterated that the malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software. It also reaffirmed that the hackers’ method of entry has been closed off and the malware has been eliminated from the company’s systems.

To help prevent against future breaches, the company says it has implemented enhanced encryption of payment data in all U.S. stores. The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable. Home Depot’s encryption technology is provided by Voltage Security, Inc.

Implementation of the project, launched in January 2014, was accelerated after the breach and completed in all U.S. stores on Sept. 13. The company says the rollout to Canadian stores will be completed by early 2015.

Home Depot will also deploy EMV chip-and-PIN technology, which uses microchips to support higher security authentication methods and has been available in the company’s Canadian stores since 2011.

[ image courtesy of The Home Depot ]

Share this story


  1. says

    The issue with Home Depot from a culture perspective is no different than many other organizations, and that’s one of the biggest problems. As an information security specialist for many years, I unfortunately see the same recurring theme with businesses time and time again, and that’s the failure to implement comprehensive security policies, procedures, processes, and other fundamental initiatives. With so many free and cost-effective solutions available online, there’s really no excuses as to why businesses don’t take the necessary steps for ensuring the safety and security of one’s entire network infrastructure. What’s also frustrating is not seeing comprehensive security awareness training and other basic, fundamental programs, like annual risk assessments, that should be in place for further helping protect organizational assets. There are literally hundreds of sites offering free employee training material. It’s time companies got serious about security and not just profits because data breaches are continuing to grow at such an alarming rate. Think about it, what business do you even have if a significant data breach occurs? Kiss your profits goodbye and say hello to the onslaught of lawsuits sure to arrive.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *