Home Depot Hackers Also Swiped 53 Million Email Addresses

Chuck Bednar for redOrbit.com – Your Universe Online
A September breach that resulted in the theft of 56 million credit and debit cards belonging to Home Depot customers also saw hackers steal roughly 53 million email addresses, the retailer revealed this week.
The stolen files that contained the email addresses did not include any passwords, payment card information or other sensitive personal data, according to Reuters. Home Depot, which previously estimated the incident would cost about $62 million, said that a third-party vendor’s log-in credentials were used to access its network.
“The findings – which come after more than two months of investigations by the company, law-enforcement agents and hundreds of security personnel – show the home-improvement retailer fell victim to the same type of infiltration tactics as Target Corp., where hackers gained access last year via a Pennsylvania-based refrigeration contractor’s electronic billing account,” said Shelly Banjo of The Wall Street Journal.
Once they breached the perimeter of Home Depot’s network, the hackers then acquired “elevated rights” which allowed them to navigate through it, deploying custom-built malware on self-checkout systems in the US and Canada, the company said in a statement. Since the incident, it added that enhanced payment data encryption techniques had been implemented in all US stores, and that those measures would be available in Canada early next year.
“Retailers have been criticized by computer-security experts for failing to isolate sensitive parts of their networks from those that are more accessible to outsiders,” Banjo added. “Target made changes after the attack last holiday season to address those ‘segmentation’ issues. Home Depot, however, doesn’t believe that its network design was at fault, according to people briefed on the investigation.”
One of the takeaways from Home Depot’s investigation, however, is the fact that email addresses had also been stolen by the hackers – which security expert Brian Krebs warned could be used to target people in phishing attacks (like sending them a fake survey claiming to offer a free gift card to participants to trick them into opening a malware-infected attachment).
“The bigger problem, the company’s executives have said, is that Home Depot moved too slowly to bolster its security defenses and too often focused on meeting standards designed to detect known threats rather than anticipating the fluid, fast-moving tactics of hackers who are increasingly going after retailers,” Banjo said.
Once the hackers gained access to Home Depot’s systems, they were able to use a vulnerability in Windows, people briefed on the investigation told The Wall Street Journal. Microsoft issued a patch once the attacks began, and though Home Depot installed it, the fix came too late to prevent the breach from happening. The hackers targeted self-checkouts because they were clearly identified as payment terminals, but standard cash registers were not.
“The hackers evaded detection in part because they moved around Home Depot’s systems during regular daytime business hours and designed the malware to collect data, take steps to transmit it to an outside system and erase its traces,” Banjo said, adding that the malware “lurked undetected for five months” and “might have gone unnoticed for much longer if the hackers hadn’t put batches of stolen credit-card numbers up for sale while a number of Home Depot executives were away on vacation for the Labor Day holiday.”
In its statement, Home Depot said that it would continue to cooperate with law enforcement and that it would continue to try and enhance its security measures. The company also said it would be offering free identity protection and credit monitoring services to any customer who used a payment card at a Home Depot store since April 2014.
—–
Follow redOrbit on Twitter, Facebook and Pinterest.