Home improvement retailer The Home Depot, which revealed in September that its payment data systems had been breached, has disclosed additional information related to the company’s recent hacking incident. The findings are the result of investigations in cooperation with law enforcement and third-party IT security experts.
The big revelation in the latest update is that, in addition to credit card data, the hackers got access to separate files containing 53 million email addresses. Home Depot says the files did not contain passwords, payment card information or other sensitive personal data, but it warned customers to be on the lookout for possible phishing scams.
The company says cyber criminals used a third-party vendor’s user name and password to enter Home Depot’s network; however, those stolen credentials alone did not provide direct access to the company’s point-of-sale devices. Instead, the hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy “unique, custom-built malware” on its self-checkout systems in the U.S. and Canada.
The company reiterated that the malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software. It also reaffirmed that the hackers’ method of entry has been closed off and the malware has been eliminated from the company’s systems.
To help prevent against future breaches, the company says it has implemented enhanced encryption of payment data in all U.S. stores. The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable. Home Depot’s encryption technology is provided by Voltage Security, Inc.
Implementation of the project, launched in January 2014, was accelerated after the breach and completed in all U.S. stores on Sept. 13. The company says the rollout to Canadian stores will be completed by early 2015.
Home Depot will also deploy EMV chip-and-PIN technology, which uses microchips to support higher security authentication methods and has been available in the company’s Canadian stores since 2011.
[ image courtesy of The Home Depot ]