Payment cards were put at risk after Home Depot’s self-checkout systems in the U.S and Canada were infected with unique and custom malware.
Payment cards were put at risk after Home Depot’s self-checkout systems in the U.S and Canada were infected with unique and custom malware.

Home Depot announced on Thursday that approximately 53 million email addresses were stolen in the data breach that was confirmed by the company in early September and, later that month, was revealed by the retailer to have put roughly 56 million unique payment cards at risk.

Those payment cards were put at risk after Home Depot's self-checkout systems in the U.S and Canada were infected with unique and custom malware, according to a release. A Home Depot spokesperson told SCMagazine.com in a Friday email correspondence that the malware was only on self-checkout terminals and that there is no evidence that online transactions were impacted.

The criminals were able to get the malware onto Home Depot's network by using a third-party vendor's username and password and then elevating their rights until they had access to the retailer's point-of-sale (POS) devices, the release indicates.

“Once hackers gain a foothold on the network, as they did with Home Depot via a third-party vendor, they can jump to different users until they get to a level where they can create their own admin credentials that enable them to deploy malware on Home Depot's POS systems,” Nir Polak, CEO of Exabeam, speculated in a Friday email correspondence with SCMagazine.com.

A variety of third-party vendors could have been in possession of credentials that, when compromised, ultimately enabled the breach, Armond Caglar, senior threat specialist at TSC Advantage, told SCMagazine.com in a Friday email correspondence.

They include “vendors, suppliers, sub-suppliers, maintenance, HVAC, contractors, auditors – anyone doing business with Home Depot and who might need access to their network for the purposes of electronic accounts payable/billable, contracts, project management, [and more,]” Caglar said.

The credentials may have been compromised in a social engineering attack, possibly in which the attackers performed reconnaissance in order to craft a convincing phishing email that lured an employee of the third-party vendor into turning over their username and password, Polak said.

“If we are to use recent history as an informative reference, third-party credentials can be stolen very easily using malware-laced phishing attacks targeting unsuspecting employees of the vendor in question,” Caglar said. “Once clicked and introduced onto a targeted network, highly effective bots are deployed that are programmed specifically to be voracious consumers of any and all passwords.”

Home Depot is making efforts to contact customers whose email addresses were stolen, and is warning them to be on the alert for emails requesting personal information, according to a FAQ, which adds that the compromised files containing the email addresses did not contain passwords or other sensitive information.

“Once obtained, [email] accounts can be sold on the black market to other criminal groups whose interest might be using your email address as the preferred infection vector to introduce spam and clever phishing attacks against your friends and contacts,” Caglar said.

Home Depot is implementing EMV chip-and-PIN technology to enhance security, and is also enhancing encryption, which involves taking raw payment card information and scrambling it to make it unreadable and virtually useless to hackers, the release indicates. Voltage Security is providing the encryption technology.

Polak said that these steps help, but do not solve the root problem of faster detection of stolen user credentials.

“Attackers may still target retailers via vulnerabilities resident in their third-party business relationships and networks and still obtain sensitive, non-PCI data as well, such as trade secrets and other intellectual property,” Caglar said. “This can have just as devastating an impact on both brand reputation and top line sales as any other attack."