Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

tomm2thumbs

(13,297 posts)
Tue Sep 9, 2014, 10:46 PM Sep 2014

Home Depot Hack Could Be Biggest Card Breach Ever

Source: ABCNews

The huge hacking attack against Home Depot’s payment systems could turn out to be the biggest breach of any retailer’s data so far. The company confirmed the data break-in but did not say how many credit and data cards are affected. The total could be as much as 60 million, according to several experts. That would be far more than the total number of cardholders impacted by the breach at Target stores.

Home Depot said that it “strongly” encourages its customers to “review your payment card statements carefully and call your bank or card issuer if you see any suspicious transactions.” Card information for sale on criminal sites that was stolen from Home Depot shoppers “allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores,” Krebs said.

Read more: http://abcnews.go.com/blogs/business/2014/09/home-depot-hd-hack-could-be-biggest-card-breach-ever/




Home Depot said malware was used in the hack. I can imagine many folks who make purchases at Home Depot have high credit limits for large appliances and other purchases. Hopefully these folks are keeping a watchful eye on recent credit purchases.

18 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Home Depot Hack Could Be Biggest Card Breach Ever (Original Post) tomm2thumbs Sep 2014 OP
I'm just gonna wait here Kalidurga Sep 2014 #1
given the damage Target's breach did to the company, my guess is Home Depot is going to take a hit tomm2thumbs Sep 2014 #2
Target's hit was in large part because they badly handled the response to the breach Skittles Sep 2014 #18
Simple solution: Make it a law that any store that takes credit or debit cards must carry insurance… Journeyman Sep 2014 #3
Actually, reputable credit card companies don't stick you with the bill dixiegrrrrl Sep 2014 #10
after the Target hack it is inconceivable that a major retailer would not be whereisjustice Sep 2014 #4
The only 100% secure system is the one that's off and unplugged. jeff47 Sep 2014 #11
Of course they can be hacked, but detecting the problem once hacked is not rocket science whereisjustice Sep 2014 #13
And you detect that by.... jeff47 Sep 2014 #14
This isn't nuclear engineering - it is simple greed and deliberate, criminal negligance whereisjustice Sep 2014 #15
CITI Bank manages their credit cards and loan services. Historic NY Sep 2014 #5
For you techies, here is more detail PuppyBismark Sep 2014 #6
I'm no techie but thanks for that, PB Cha Sep 2014 #8
thank you, so important I posted this in general discussion whereisjustice Sep 2014 #17
Most credit cards have alerts you can set to get quick notification of potential problems PuppyBismark Sep 2014 #7
Our credit union had a representative call us directly last month... Earth_First Sep 2014 #9
I got hit last week. O-Town Blue Sep 2014 #12
I don't allow any stores to hold credit card info except sony online. So when they got 'hacked' Sunlei Sep 2014 #16

Kalidurga

(14,177 posts)
1. I'm just gonna wait here
Tue Sep 9, 2014, 10:48 PM
Sep 2014

for someone to say the victims shouldn't have posted their credit card info online.

tomm2thumbs

(13,297 posts)
2. given the damage Target's breach did to the company, my guess is Home Depot is going to take a hit
Tue Sep 9, 2014, 10:56 PM
Sep 2014

and probably a pretty huge hit --

Target's hit due to their hack was crazy -- $235 million dollars!



http://www.mprnews.org/story/2014/08/05/target-data-breach

Skittles

(152,967 posts)
18. Target's hit was in large part because they badly handled the response to the breach
Thu Sep 11, 2014, 12:00 AM
Sep 2014

it was like they had no plan of action should a breach occur

Journeyman

(15,001 posts)
3. Simple solution: Make it a law that any store that takes credit or debit cards must carry insurance…
Tue Sep 9, 2014, 11:27 PM
Sep 2014

sufficient to cover the expense of notifying all customers of any potential breach, as well as large enough to cover the expenses their customers will incur correcting this situation and replacing their compromised cards.

Do this, and the switch to the more secure, European-style "chip and pin" card system will be swiftly accomplished, no matter what the present complaints from store owners about their supposed "additional costs."

Right now, the only ass on the line is yours and mine, so the banks and stores have little to no interest in resolving this situation. So hit 'em in the same place we're getting whacked -- the pocketbook -- then stand aside to avoid being trampled as they move swiftly to protect their own asses (and we'll gain protection too, even though it be by default).

dixiegrrrrl

(60,010 posts)
10. Actually, reputable credit card companies don't stick you with the bill
Wed Sep 10, 2014, 09:39 AM
Sep 2014

which is one of the reasons I use credit cards, esp. for on line purchases.
I always pay them off when the bill comes.

And, my local community bank just informed me that they will hold debit card customers harmless if a theft is promptly reported.
Promptly defined as within 30 days or so.
They did this because hackers are so prevalent now.

whereisjustice

(2,941 posts)
4. after the Target hack it is inconceivable that a major retailer would not be
Tue Sep 9, 2014, 11:37 PM
Sep 2014

prepared for this. At what point do we stop calling this an "attack" and start calling it what it is, gross negligence by company management.

If you are a bank and you keep money in the open, with no safe, because you are trying to cut costs, or you outsource your security to India, you should be open to civil lawsuits by customers when their money gets stolen.

Management must have known their systems were not secure, to claim that there was no sign of a breach until after a hundred million card numbers were stolen defies any sense of reason.

Understand that retailers have no incentive to prevent theft like this because they believe it is still cheaper to deal with the theft than to hire the people and change the technology that would eliminate this problem once and for all.

In a well functioning society, the CEO would be immediately fired. But in here in Idiotville, USA, he'll probably get a massive bonus.

jeff47

(26,549 posts)
11. The only 100% secure system is the one that's off and unplugged.
Wed Sep 10, 2014, 10:39 AM
Sep 2014

Everything is hackable. It is not possible to create a 100% secure system and have that system do useful work.

All you can do is make it so that the data stored in the system is useless. Such as using one-time codes instead of an unchanging credit card number. That way when the data is stolen, it is not useful to the hacker.

And yes, that's "when" the data is stolen. Not "if".

whereisjustice

(2,941 posts)
13. Of course they can be hacked, but detecting the problem once hacked is not rocket science
Wed Sep 10, 2014, 07:50 PM
Sep 2014

This data is coming from POS terminals. With everything known from these exploits starting with olympics in Russia to Target, Marriott, etc it isn't that hard to figure out if your system is sending data outside the network sourced from your terminals. Heads should roll.

Not only that, we are spending 10s (100s?) of billions of dollars a year on MASSIVE cyber warfare center and NSA etc. who is monitoring all the tiers and NSA is trading naked pictures they find on the internet. So, even if dumb ass executives are outsourcing their IT security to India or Brazil or wherever, the fact that this wasn't nipped in the bud by external monitoring tells us all that goddamn money is being wasted on bullshit.

Making things worse, the US is practically the last place on Earth still using the swipe system. There is simply no excuse for this.

Perhaps dumb ass insurance companies are paying against the claims of dumbass executives too cheap to properly secure and monitor their networks because there is ZERO incentive for these corporations to safe guard our data. Ultimately it's the people who can least afford it who will be paying the price to make up for the losses of these banks and insurance companies, not to mention the literal hell and incalculable costs as people are forced to resolve bad charges and fight to clean up their identity.

You can't stop the hacks, but you sure as hell can make the damage relatively negligible. Putting the CEO infront of a grand jury would be a good place to start finding out what the hell went wrong.

Of course, that will be just as soon as we are done prosecuting all the bankers who fucked us over for trillions of dollars during the last economic meltdown which is a long way of saying never.

Further making my point - Apple was hacked by pw retry!!!! Holy Jesus, what kind of software system isn't tested against the most primal attacks like this?

It's the same reason our stock buble is going to crash again in near future, there is ZERO risk of prosecution for corporate malfeasance and deliberate negligence.




jeff47

(26,549 posts)
14. And you detect that by....
Wed Sep 10, 2014, 08:34 PM
Sep 2014

How do you detect the data is flowing the wrong way?

Systems that are themselves exploitable.

Think about how the Iranian nuclear program was hacked. The centrifuges were programmed to spin too fast to cause them to break. To disguise this, they slowed down other centrifuges to hide the extra power consumption. And they had the monitoring software hide the speed changes.

Plus, you're assuming the terminals are on an actual separate network. A whole lot of them are on VPNs, so it looks like Internet traffic.

whereisjustice

(2,941 posts)
15. This isn't nuclear engineering - it is simple greed and deliberate, criminal negligance
Wed Sep 10, 2014, 10:10 PM
Sep 2014

I am familiar with coms/network industry, we aren't talking James Bond, more like Barney Fife. Except Fife was harmless. These goddamn CEOs are a threat. The fucker should be charged and/or put in front of a grand jury. Class action civil suit at a minimum.

From the PuppyBismark link farther down this thread.


In the name of profit Target and Home Depot refused to protect customers; now customers' credit cards are stolen

In the wake of a stunning data breach at America's largest home improvement retail chain, The Home Depot, Inc. (HD), a stunning picture of negligence is slowly emerging. Both Home Depot and Target Corp. (TGT) -- whose registers were compromised last December -- appear to have fallen victim to a decade-old exploit of Windows XPe.

What's more, these losses -- which may total as many as 100 million customer credit and debit card numbers -- could have likely been prevented by simply paying to upgrade to a more modern Microsoft Corp. (MSFT) operating system, such as Windows 7 for Embedded Systems. But since Target, Home Depot, and others have refused to protect customers, customers are now paying the price. Banks are scrambling to try to control the damage of these massive intrusions perpetrated by hackers in Russia and Ukraine. But much damage is already done and will yet be done due to retailers' appalling technical negligence.

I. Windows XPe -- The OS Behind Retail's Credit Card Breaches

This week Brian Krebs, a top security research affiliated with The Washington Post, wrote in his blog Krebs on Security fresh details of a hack that potentially compromised millions of Americans' credit cards. Mr. Krebs had broken word of the hack last Tuesday, writing that it appeared to be the work of Russian hackers. Now he's offered up fresh details on the malware they used to siphon credit card numbers (CCNs) from checkouts of Home Depot.

PuppyBismark

(593 posts)
6. For you techies, here is more detail
Wed Sep 10, 2014, 12:51 AM
Sep 2014

Once more American Corporations look to quick profits at the cost of customer satisfaction and possibly long term expense. The Home Depot hack is based on the same problem that Target had and Home Depot did not want to make the investment in the changes needed to protect their customers and their reputation.

http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm

PuppyBismark

(593 posts)
7. Most credit cards have alerts you can set to get quick notification of potential problems
Wed Sep 10, 2014, 12:58 AM
Sep 2014

I know that Discover and Amex (Including Costco) have alerts you can set.

Amex: you can get an email and/or text message every time someone charges your account and does not have the card in their possession. This is typical of all internet charges and those made by people who possess stolen card numbers (but not all).

Both Amex and Discover allow you to set alarms for charges above a limit you set.

Not sure about Visa and MC. Also, Visa and MC cards are not centrally managed like Discover and Amex. The alarms are at the discretion of your bank or card processor.

Earth_First

(14,910 posts)
9. Our credit union had a representative call us directly last month...
Wed Sep 10, 2014, 08:07 AM
Sep 2014

...on a SATURDAY (not normal operating hours) to ask us if we were traveling due to out-of-state transactions posting to the account while we were on vacation.

90% of this issue lies with the corporation and the banks and their gross negligence -as was pointed out up thread.

However, as a consumer there are options available to us to refuse the banking status quo and look into credit union options available to you.

I realize that this may not be possible in every consumer situation, however for tens upon tens of thousands...it is an option.

Buck the trend of 'banking' and become a member of your community credit union...

O-Town Blue

(12 posts)
12. I got hit last week.
Wed Sep 10, 2014, 01:07 PM
Sep 2014

Someone racked up $215 worth of purchases at a Walmart 4 hours away from me. I check my balances obsessively, so I caught the charges minutes after they went through and was able to get them removed in relatively short order. I shop at Home Depot pretty regularly and figure this is how my information got hacked.

Be careful, everyone, and check your bank activity regularly, even if you haven't shopped there.

Sunlei

(22,651 posts)
16. I don't allow any stores to hold credit card info except sony online. So when they got 'hacked'
Wed Sep 10, 2014, 10:32 PM
Sep 2014

a couple years ago my credit card number was taken. I changed the card right away and so never had a problem.

However, what was funny/weird is I got a few phone calls, where the caller said they were from a company I made orders from(years ago) and were offering great deals for product reorders. Was not a Sony company. Somehow when my card info was hacked, the scammers got lists of old transactions I made with that card.

Anyway, I recomend people do not allow any business to hold your card numbers. If you do, have the bank alert you by email everytime there is a transaction over say, $300. That way you will quickly know your card is being used.

Latest Discussions»Latest Breaking News»Home Depot Hack Could Be ...