New details suggest that Home Depot breach is nationwide

Data shows that 99 percent of the stolen cards being sold online are a geographic match with retail locations

home depot
Credit: REUTERS/Jim Young

On Tuesday, investigative journalist Brian Krebs reported that sources had informed him of a potential breach involving Home Depot. Home Depot is a home improvement retailer with 2,200 stores in the U.S.

Krebs' sources said they believe that the alleged breach could go back as far as late April or early May. If so, then a confirmed breach at Home Depot has the potential to be larger than the one at Target.

Aside from the reports from sources working with several banks, Krebs was able to add a little more weight to the breach speculation by reporting that criminals on an underground marketplace (http://rescator[.]cc) are selling two new batches of stolen credit cards.

These new batches emerged on September 2, but the source of their data isn't clear; aside from the likelihood that the American set came from Home Depot.

On Wednesday, Krebs offered another layer of insight.

When the 1,822 ZIP codes associated with the stolen American cards were checked by Krebs, he noticed a 99 percent match when that list was compared to the 1,939 ZIP codes where a Home Depot is located. Salted Hash checked the same data set used by Krebs, as well as a manual audit on the marketplace website, and can confirm his findings.

Home Depot has only issued a brief statement to the media. Spokesperson Paula Drake said that the company is "looking into some unusual activity and we are working with our banking partners and law enforcement to investigate."

If the breach is a reality, the question is, how did it happen?

"The Home Depot breach may have been carried out in the same fashion the Target breach was performed. Given that they are both retail chains and it affected credit cards, it’s likely that a particular type of exploit that was successful will lead to others in the same fashion. This could be by the same group or a completely unrelated group," commented Paul Martini, CEO of iboss Network Security.

"Now, if the exfiltration of data at terminals was not the way this was performed, it’s very likely that the data was taken through more traditional means such as a botnet infection on a sensitive server or database."

If the attackers took a more traditional approach, it's possible they targeted an application online.

"Home Depot offers clients two payment options, one via PayPal and another through its own system," BitDefender's Marius Doroftei said.

"One technique hackers could have used to grab the data is through a vulnerability in Home Depot’s own payment interface [https://secure2.homedepot.com], however, since the site is SSL-secured, there is a higher probability they found a way to access the company’s storage facilities and steal the banking credentials."

Possible ties to the JPMorgan data breach?

In a statement, Peter Tapling, the President of Authentify, singled out the new batches of credit card data being sold by criminals online. The batches are being sold under two different names; the American set under the name "American Sanctions" and the European set as "European Sanctions."

"The 'American Sanctions' name for the card batches for sale are an interesting twist. Is this just a group that sympathizes with Russia? Or is it a state actor involved directly," he asked.

The consensus, Tapling added, is that there's a possibility the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for recent data breaches at JP Morgan and other banks. When the JPMorgan breach was announced, the source of the attack was said to be Russia, and the reasoning is speculated to be retaliatory.

But, there's no evidence – other than a batch name – proving that the attacks are connected.

For now, Home Depot isn't responding to requests for additional statements. Nevertheless, if you follow the money and look at the data, something somewhere has gone horribly wrong. Perhaps Home Depot doesn't need to confirm anything.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.