On 3, September, The Home Depot quietly posted a brief statement "about news reports of a possible payment data breach".​ It's sad but it is almost no longer news when another major retailer reports the loss of personal financial data. Maybe I should just start an ongoing post to list the latest retail data breach.

The Home Depot statement titled Statement 1 goes on to say the Company is looking into some unusual activity that might indicate a possible payment data breach and are working with their banking partners and law enforcement to investigate.

The seemingly always in the know www.krebsonsecurity.com reports that not only was there loss of financial data from The Home Depot but also that the credit card information stolen was already being sold on various sites that specialize in the resale of stolen financial data.

Krebs reports the data breach could have began as early as April and includes virtually all of The Home Depot store locations. He further estimates that based upon this length or time, if a breach is determined to have occurred it will likely become a much bigger data loss than the Target breach.

[Editor Update: Added 8, September 10:00pm UTC] It seems everyone is talking about The Home Depot data breach. Uh...except The Home Depot. It has been five days since Statement 1, the brief Corporate Media Center Release mentioned above.

Forbes, Barron's, ABC News, Wall Street Journal and many others are writing about the breach. Plus, a multitude of local newspapers have picked up the topic and are discussing the data loss from the perspective of its impact on the local communities where The Home Depot stores are located.

Let's hope that behind the scenes the Company is as they said in the release, "working with our banking partners and law enforcement to investigate." The very title chosen for the release hints at a number of future "Statements." So far, the Company seems to be stuck on Statement 1.

Does the Company stand to loose more by providing public information or by staying quiet? Time, or more accurately, next year's Home Depot shareholder's reports may tell us if withholding information at this stage of the investigation was prudent.

[Editor Update: Added 9, September 12:10am UTC] The company has released updates to Statement 1. The company states in a Press Release that the data breach is confirmed and:

  • The investigation is focused on April forward for all US and Canadian stores
  • There is no evidence of debit PIN numbers compromised
  • No customers are liable for fraudulent charges
  • Affected customers will be offered free ID protection, including credit monitoring services

The company provided additional information in the form of a FAQ, a .pdf document about how to prevent identity theft and a form to complete if you think you may have been a victim of the data loss.

It seems the Company is continuing to follow the past history of the very slow release of important information. Since the breach now appears to have existed for almost half a year, possibly the Company Management sees no reason to rush. From my viewpoint, Krebbs has been right about everything regarding The Home Depot breach so far. Does it follow that losses from this theft of information will far exceed the Target loss?

Will the hacking of high profile retailers continue? Is it arrogance, stupidity, a lack of knowledge or concern from retailers that is fueling this continuing loss of personal financial data? My crystal ball runs on Windows 98 and I think it is infected with a boot log virus. So, I don't expect an answer from the orb.

I can, however, make an educated WAG about the messed up state of retail network security. ALL retailers, large and small should expect that their Point of Sale (POS) equipment already is, or soon will be compromised. For heavens sake, take action to secure your network. Malware scans are not a silver bullet but the scans may tell you if you have a problem today.

If you are lucky enough to not already be leaking financial data, take steps to lock up your network. If you allow remote access to any part of your part of your corporate network you must be very careful. Log on authentication should be strong (read about and consider multi-factor authentication) and software to prevent brute-force password attacks is required. Your email spam prevention software should should be reviewed to assure it is working to prevent phishing emails from reaching your end users. And, just in case, your users should regularly be reminded of what social engineering issues to avoid and how to recognize dangerous emails.

Businesses who work hard and take a broad network security focus may get a pass from the Russian and other hackers in the world. But if you are not proactive, prepare to loose a lot of money and reputation that you may never regain.