The final word on the Home Depot breach has been reported by Brian Krebs and it turns out to be a breach of massive proportions:
Home Depot said today[14th September] that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record.
The disclosure, the first real information about the damage from a data breach that was initially disclosed on this site Sept. 2, also sought to assure customers that the malware used in the breach has been eliminated from its U.S. and Canadian store networks.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the company said via a press release (PDF). “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”
Read Brian’s article in full here: Home Depot: 56M Cards Impacted, Malware Contained
Amazing how quickly they can roll out security enhancements along with (meaningless) assurances once they realise they have a publicity nightmare on their hands.
Noteworthy also that the thefts occurred over several months without any system generated alerts.
I’d score Home Depot about 2/10.
It’s about time the customers who incur the consequences had some redress.