It looks like US chain Home Depot may have earned the dubious distinction of being responsible for the biggest compromise ever involving credit and debit card data.
Security blogger Brian Krebs, who first reported the data breach Tuesday, updated his report today with new information gathered from the cyber underground. According to Krebs, the data strongly suggests that a breach occurred at nearly all of Home Depot's 2,200 stores in the U.S.
Krebs based his conclusion on a review of stolen credit and debit card data posted on an online store that sells such information. The site lists each card, along with the city, state and ZIP code of the card owner, as well as the store code where the data was stolen.
The data allows crooks that want to buy stolen card data to focus on credit and debit cards that are local to the area in which they operate, Krebs noted.
Crooks can create spoofed cards with the stolen data and use those cards to make fraudulent purchases from retail locations where the card is normally used. The tactic allows thieves to use stolen cards for a longer time without being detected by financial institutions. The same tactic was used with data stolen from Target last year.
"This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder's geographic region (particularly in the wake of a major breach)," Krebs wrote.
Krebs said he obtained a list of compromised cards that four banks have traced back to transactions at Home Depot. He then compared that list with a list of more than 3,000 stolen cards currently available for sale on the online store. The cards that Krebs looked at were obtained from a total of 1,822 ZIP code areas around the country. Only 10 of those ZIP codes did not correspond to Home Depot store locations, he said.
Krebs noted than the card data he reviewed represents only a tiny fraction of the cards that are available for sale through the online store. But it is enough to suggest that those behind the breach have obtained card data from nearly every Home Depot location, he said.
"The banks I spoke with in reporting this story say the data they're looking at suggests that the breach probably started in late April or early May. To put that in perspective, the Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers.
"If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target," Krebs wrote.
Home Depot itself has so far not confirmed a data breach and has only said that it is investigating reports of "unusual activity" involving credit and debit cards used at its stores. It did not respond immediately to a request for comment on Krebs' latest disclosures.
However, in a statement earlier Wednesday, the home improvement giant reassured customers that they would not be liable for any fraudulent charges on their cards if a breach occurred. "The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach," the company said. "If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers."
The breaches have highlighted escalating concerns over a point of sale (PoS) system malware tool dubbed "Backoff" that was used in the massive data heists at Target and others like Neiman Marcus and P.F. Chang's.
According to federal law enforcement authorities, Backoff has infected PoS systems at around 1,000 retailers. Security firm Kaspersky Labs, which conducted its own research of the malware, believes the number could be much higher.
Since news of the potential breach went public Home Depot's shares have fallen by over 3% from US$93.11 at 11.00 ET Tuesday to $90.34 at 2.00 ET today. It is unclear though if that drop is the direct result of the breach news or other factors.