Home Depot confirmed on Monday afternoon that its payment data systems have been breached and that any customers that used their credit or debit cards at its stores in the U.S. and Canada since April could potentially be affected. The Atlanta, GA-based retailer said in a statement that it is still figuring out the extent of the breach but claimed that debit card PIN numbers are not at risk and that folks who shopped in Mexico or on the company’s website should be safe.
For the past week, [company]Home Depot[/company] has been in the spotlight after security reporter Brian Krebs detailed how several banks noticed evidence that compromised Home Depot point-of-sales (POS) systems might have been the source for stolen financial information that recently went on sale in the black market. Last week Home Depot said that it started investigating the situation after being notified by law enforcement and its banking partners that its payment system may have been compromised.
The company apologized for the “frustration and anxiety” the breach has caused its customers and said that it “has taken aggressive steps to address the malware and protect customer data” and plans on rolling out EMV chip card technology throughout its stores by the end of this year. This technology improves security because it involves payment cards that contain a tiny computer chip to process and authenticate information instead of a magnetic strip, which criminals can easily copy.
On Monday, Krebs reported that sources told him that a variation of the same BlackPOS malware that hit Target last December is responsible for the new breach. The BlackPOS malware essentially leaches on to point-of-sales systems that run Microsoft Windows and can suck out the data from payment cards as they get swiped.
Jon Oltsik, an Enterprise Strategy Group senior principal analyst and founder of the firm’s information security service, recently told me that companies should be aware of the industry they operate in order to best prepare for hacks, and he singled out the retail industry in light of the Target debacle as as a prime example of why companies need to protect themselves.
“If you are in retail, you have to say ‘we have a risk of this attack, maybe we should lock down our POS system so they won’t execute software,’” said Oltsik.