Home Depot discloses 56 million Credit Card Numbers lost in Security Breach

Home Depot, the largest home improvement retailer, has announced that 56 million credit card numbers have been compromised. In what is now known to be the biggest security breach in corporate history, Home Depot has been the target of an attack that lasted from April to September 2014.20140916_homedepot

Home Depot managed to beat the previous record, held by Target with 40 million compromised credit cards. As a result of Target’s security breach, the company laid off its CIO. Chairman, President and CEO Gregg Steinhafel then announced his resignation as a result of the security breach and previous unfortunate events, like losing $941 millions in a failed Canadian expansion.

Background

September 2nd: the same man that announced Target’s breach, Brian Krebs, announces a new security breach. This time on Home Depot. The same day, Home Depot starts digging through its POS systems and on the September 8th announces that indeed, a breach has happened.

Krebs reports that the same group of Russian and Ukrainian hackers that managed to steal Target’s data were responsible for the hack. The same day a new batch of credit cards shows up online. The batch’s code name: European Sanctions.

Implications

16 days later, Home Depot announced that it managed to clear all infected systems and has “has completed a major payment security project that provides enhanced encryption of payment data at point of sale”.

The company worked with security firms, banking partners and the Secret Service to find out as much as possible about the breach. Results show that hackers used custom built, never before seen malware. This was not the work of some isolated hackers group, acting on its own. A very well organized attack has been put in motion.

Home Depot has worked with banks to provide customer support to those in need. A small local bank, Dollar Bank, as well as larger banks such as JP Morgan Chase and Capital One, have started replacing credit cards.

Although Home Depot has not been hit by the market just as heavily as Target, one can still feel the tension looming over the retailer’s security actions. Consumers are more careful in how they use their credit cards and banks have jumped on board the Apple Pay system, which promises better security.

Is there a cyber war out there?

The fact that the same group of hackers seem to have been involved in attacking Target, as well as Home Depot points to a maybe. But then you have the Secret Service involved. You have an ex-Homeland Security contractor acting as CIO with Target. You have the FBI investigating whether Russia is behind the recent JP Morgan Chase cyber attack.

But most of all - you have Edward Snowden, defected to Russia with a few gigs of classified information on US cyber intelligence actions. Some of those actions may have included packing backdoors and security flaws into US digital infrastructure. Too bad.

Yes, there there probably is a cyber war going on and the US and Europe are extremely exposed. Retailers should pay a lot more attention to their security backbones and check each potential backdoor, should they not want to suffer the same unfortunate events Home Depot, Target and others have faced.

 

 

 

 

Ebay Lost 233 Million Accounts. Could It Be More Than Hackers?

In what could be the biggest security breach in history, Ebay may have lost personal data for 233 million accounts. Long story short – hackers got access to employees’ corporate network credentials, probably by phishing. They than accessed and extracted user data saved on Ebay databases, including addresses, date of birth, usernames, emails and passwords, which Ebay officials mentioned were encrypted. There is yet no report of hackers stealing credit card info from PayPal (an Ebay subsidiary).

A totally unrelated Ebay product

A totally unrelated Ebay product

Ebay was “quick”  to notify its users on the breach - it only took them three months to discover and communicate what could now be the largest cyber-attack on an American company.

Is there more to this security breach and others?

One can only notice the similarities between this breach and the one that previously put Target CEO out of job. In the previous biggest cyber-attack on an American company, Target lost personal data for more than 110 million of its customers, some of which included credit card info.

In the aftermath the company was heavily investigated by law enforcement as well as the secret service. The company hired a new CIO following the security breach, Bob DeRhodes, a former security analyst for the US Department of Homeland Security, US Department of Justice and the US Secretary of Defense.

The fact that Target customers’ credit card info later showed up on Russian underground forums, as well as involvement from national security specialists, points to something closer to cyber warfare than your everyday phishing.

There will be others

The shady practices employed by the NSA to gather intel have probably left the Internet a less secure place. If it weren’t for Heartbleed, a vulnerability the agency has allegedly kept secret, or other backdoors, tracked and harnessed in the interest of “national security” – probably Ebay wouldn’t report losing more than 200 million accounts today.

Now I’m not saying that some groups left american tech companies with heavy security gaps. And I’m not saying that some former agent / analyst of theirs is halfway across the globe in a country known for its history of espionage and overall unfriendliness toward US. But probably someone should say it.

 

Target CEO Resigns Over Security Breach. Gets Paid Millions to Leave.

Last year american retailer Target was the victim of a security breach. The hack compromised personal data for over 110 million customers. What is now known to be one of the biggest security breach in corporate history has not left the company unscathed.

The Backstory

target-storesOn December 13th, 2013, Target executives meet with the US Justice Department. The reason: discussing a hack that exposed credit and debit card data for over 40 million customers. On December 18th security analyst  Brian Krebs breaks the news. The Secret Service is involved and Target gets investigated.

On Dec. 27, 2013 word’s out that PIN numbers for the stolen cards were accessed. Target acknowledges PIN’s were accessed but says they were not decrypted. Meanwhile Russian forums get flooded with millions of credit cards.

And then it gets worse: Target declares an additional 70 million customers were affected by the security breach. The company reveals poor Holiday sales. Lays off 475 employees and reports costs associated with the data loss topping $200 million.

Fortunately, employees get to wear jeans and polo shirts.

The breach left Target in a disastrous situation as profits dropped 46% in the last quarter (-$440 million), compared to the year before.

First the CIO, now the CEO

After the blast, some heads were sure to fall. First was CIO Beth Jacob, the obvious … target. To show it means business, the company brought Bob DeRodes on board, as new CIO and executive VP. DeRodes, 63, started on May 5th and now oversees the adoption of secure technology, with the help of $100 million worth of tech investments.

The new CIO is a tech security veteran, his previous endeavors including being a senior IT advisor for some organizations you might have heard of: the US Department of Homeland Security, US Department of Justice and the US Secretary of Defense.

gregg-steinhafel

Gregg Steinhafel

But that was not enough. Chairman, President and CEO Gregg Steinhafel announced his resignation. The breach left both Steinhafel and the company in a vulnerable position. 

The company announced the parts have reached a settlement that will probably allow the ex-CEO to walk out with over $11.7 million salary and incentive pay. Not bad for a CEO leaving a company that lost $941 million in its Canadian 2013 expansion, is under heavy fire from Amazon and Walmart and was just exposed to the biggest card robbery in history.

But than again, the man did work for Target for the past 35 years.