Home Depot confirms security breach six days after launching an investigation

Home Depot has admitted their systems were breached, nearly four months after customer credit cards began appearing for sale on the cyber black market and six days after launching a formal investigation into the attack.

“The Home Depot today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores. There is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com,” a company release said, which was recently sent out to media.

“While the company continues to determine the full scope, scale, and impact of the breach, there is no evidence that debit PIN numbers were compromised,” the release continued.

Incredibly, it was Home Depot’s banking partners that alerted the giant home improvement retail chain they had a problem, one that closely resembled the point-of-sales malware onslaught against Target in December in which 70 million customers had their cards boosted for over $100 million in fraudulent charges.

The mysterious attack elicited heavy discussions about specifics of the malware attack Home Depot is now only accounting for. Chris Weltzien, chief executive at security out 6Scan, said the Home Depot attacks bore the hallmarks of the Target breach, which cyber security experts said had been launched by Russian hackers. Russian hackers are also suspect in the Home Depot hack.

“The latest batch of stolen cards are being sold under the name ‘American Sanctions,’ and initial sanctions for the annexation of Crimea [were] put in place in April/May time frame,” Weltzien said earlier. “Home Depot does a huge business in their own credit cards.”

Head of intelligence at Malwarebytes Adam Kujawa, in an email to VentureBeat, put it this way:

“Krebs said that a source close to the investigation revealed that a few terminals were infected with a variant of theBlackPOS malware, which was seen, in a previous version of course, as the culprit in the Target attack. Although nobody has said if it was the main culprit in this case or if it was just one of many malware used against HD,” Kujawa wrote.

Since last week, the FBI and Symantec have been working diligently to figure out exactly what had happened. A company spokesperson told VentureBeat Friday the company wasn’t even sure there had been an attack. Meanwhile, customers last week were left to scanning their credit card statements to see if their cards were for sale on Rescator.cc, a well known and shady virtual market for stolen cards and PayPal pin numbers, for example.

“Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware and protect customer data. The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on,” the press release added.

Hey, at least customers in Mexico weren’t affected.