Massive Credit Card Breach at Home Depot

The NWCUA will provide additional notifications to credit unions of any new information that becomes available.

[Update, September 8: Home Depot confirmed today that its credit card systems were breached.

“We want you to know that we have now confirmed that those systems have in fact been breached,” said a Home Depot web page addressing the breach, “which could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward. We do not have any evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.”

Home Depot also said that there is no evidence that debit card PIN numbers were compromised.

Visit Home Depot’s website for more information.]

Over the last two days, thousands of U.S. credit cards have been put up for sale on a black market website, and evidence is mounting that Home Depot has suffered a massive data breach that exposed these and likely many more cards to theft.

Home Depot has not yet confirmed that they are the source of the stolen credit card data. However, they did release a statement saying, “We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate.”

“So far, all roads point back to Home Depot,” said a New New York Times report on Thursday. “And if the evidence uncovered so far proves to be valid, the hack could top the record-setting breach of Target’s network last December.”

On Wednesday Brian Krebbs, the respected security blogger who first reported the potential breach, said that there was a 99.4 percent overlap between the zip codes of the cards being put up for sale and the zip codes of Home Depot stores, which include stores in Oregon and Washington.

“A 99+ percent overlap in ZIP codes strongly suggests that this source is from Home Depot,” said Nicholas Weaver, a researcher at the International Computer Science Institute at the University of California at Berkeley.

“Credit union members should monitor their accounts and report suspicious activity immediately,” said David Curtis, director of compliance services at the Northwest Credit Union Association. “Additionally, those credit unions who offer their members the ability to set up alerts should encourage them to do so.”

“Although the breach has not yet been confirmed,” Curtis continued, “credit unions may want to contact their card processors to help determine the extent of the affect of the breach for the credit union.”

CUNA Mutual Group issued the following information to its bond policyholders in response to the Target breach, indicating risk mitigation steps credit unions can take in response to the breach. They include:

  • Watch for phishing fraud. Educate members not to respond to any e-mail, text message or phone calls asking for any card information including account number or PIN.
  • Report fraud. Educate members to frequently review their activity and immediately report any unauthorized transactions.
  • Determine fraud exposure. Evaluate the card number compromise information to determine if your credit union has an increased exposure for future magnetic stripe fraud.
  • Match names for Track 1. Confirm your credit union is using name matching to help prevent future card fraud where the fraudsters could change cardholder names on Track 1, which carries the cardholder’s name.
  • Alert credit bureaus. Since Track 1 carries the cardholder name, the cardholder may want to place an initial fraud alert with the credit bureaus to prevent identity fraud.
  • Review the card associations’ alerts: Visa CAMs (which was to be released last week but had not been as of press time) and MasterCard’s alert ADC1904.
  • Review open accounts. Determine which cards contained in the alerts are still active (open).
  • Move up card expiration dates. Accelerate the card expiration date on active cards contained in the alert if the card number will expire in the next 30 to 180 days. Credit unions could reissue these cards now.
  • Review other accounts. Determine which cards contained in the alerts have been closed due to fraud as a result of the Target breach.
  • Work with card processor/fraud monitoring system vendor to create rules and strategies to help prevent future fraud on the compromised card accounts.
  • Monitor your daily card fraud to identify any changes in fraud patterns that may be the result of the Target breach.
  • Recovery action. Confirm the card association’s available dispute action on the compromised cards, as well as any timeframes.
  • Ongoing monitoring. Continue to watch for any follow-up information tied to this breach and if additional action is needed.
  • Review accounts involved in the breach. Determine which cards on the card association alerts are still active (open).
  • Review other accounts. Find out which cards on the alerts are non-active and have been closed due to fraud. Identify if the fraud pattern on the closed accounts matches the fraud pattern described in the card association’s alerts.
  • Monitor or block and reissue. Assess compromised cards to determine whether to monitor the affected cards or block and reissue the card. If opting to monitor, contact the card association (Visa or MasterCard) to determine if the credit union’s action will impact future recovery efforts. Reissued cards will be encoded with new track information, which includes the new CVV/CVC values and card expiration dates.
  • Fraud reporting. Confirm all fraud associated with this event has been reported to the card associations and to CUNA Mutual Group. Use: Visa Fraud Reporting System (TC-40), MasterCard Safe System, or Plastic Card Customer Care Center.

The NWCUA will provide additional notifications to credit unions of any new information that becomes available.

Questions about this story? Contact James Pearson: 206.340.4790, jpearson@nwcua.org.

Posted in Article Post.