What we know and don’t know about the Home Depot breach

The massive data breach of payment card numbers and other customer details at Target last year raised serious doubts about security of point-of-sale (POS) systems. And more and more retailers are owning up to breaches involving POS compromises, including the Home Depot, which has amplified those concerns.

In the Home Depot’s case, the company hasn’t fully disclosed what data was lost or at how many of its stores — leading to much speculation about the size of the breach and whether the same type of malware that hit Target was involved.

The Home Depot breach could potentially be much larger than Target’s loss of 40 million payment card details and 70 million other customer records.

The Home Depot has more stores than Target (about 2,200 compared to Target’s roughly 1,800) and the breach may have taken place over a period of as long as six months – much longer than the three weeks Target was breached last November-December.

The Home Depot has confirmed that its stores in Mexico were not affected by the breach, while U.S. and Canadian stores were. But which stores were hit? What data was lost? And how did this happen?

With so few answers to those questions, the next question naturally becomes: what can consumers and retailers do to stay safe?

One of the most startling revelations about the Home Depot breach is that the company’s POS registers were supposedly protected by antivirus software, but to no avail.

Sophos Senior Security Advisor Chester Wisniewski tells Bankinfosecurity.com that determined attackers can and do craft their malware to evade detection by antivirus software.

“A smart attacker in a targeted environment will always bypass your antivirus,” Chet says.

That doesn’t mean there’s no defense against the type of malware that apparently hit Home Depot POS registers.

Chet explains that an antivirus and firewall can stop the vast majority of “opportunistic” attacks, but stopping targeted attacks (also known as APTs) requires additional layers of security.

For consumers, there’s not much Home Depot customers can do apart from checking for fraudulent charges on their credit cards (fortunately, debit card PINs were not stolen in this attack).

As Chet says in a recent episode of the Sophos Security Chet Chat podcast, “As a Home Depot customer myself, I’ll be keeping a close eye on my credit card statements for a while, just to be sure that nobody has run off with my details.”

There is one sure-fire fallback to avoid this kind of credit card insecurity – using cold, hard cash.

Want to hear more from Sophos?