Home Depot Rushes to Deploy EMV Cards in Wake of Massive Data Theft
While Home Depot is saying that the malware eluded its existing security systems, a number of security researchers have told eWEEK that the cyber-attack was likely based on the Backoff malware, which is frequently customized for specific retailers. Security information for the Backoff exploit has only recently been made available by law enforcement. Had Home Depot had its POS encryption system in place prior to April, the cyber-criminals would not have been able to read or use the payment card information even if they were able to steal it. Unfortunately, while the encryption project has been completed for stores in the U.S., stores elsewhere will not have encryption in place until early 2015. Home Depot has not provided any details about how the breach was carried out, nor has the company responded to requests from eWEEK seeking information beyond the press release. However, the indications are that the malware was apparently introduced through the self-checkout POS terminals, and affected only those. Because the Backoff malware and its variants require some sort of direct access to the POS terminals, it's unlikely that Home Depot was penetrated through some sort of phishing attack.At this point, it appears that the POS system was attacked through a brute-force attack or through some sort of back door. However, because the malware seems to have affected all of Home Depot's self-service POS terminals, it would appear that, one way or another, their POS system was accessed remotely and the malware installed that way. This is one situation where the company could really benefit other retailers by helping them determine where to look for weak spots. When Target found that its breach happened because of access using a vendor's log-in, it gave the rest of the industry the information it needed to limit access to third parties. It's hard to know what to learn from Home Depot. The sad part is that the company is probably worried that the cyber-criminals will then know where their system was weak, but quite frankly, that's misplaced concern. The criminals already know. What's really important is that customers know what to avoid, other retailers know how to secure their systems and Home Depot stockholders really know that the problem was solved. Unfortunately, Home Depot's efforts to handle damage control don't accomplish any of those things and they don't even control the damage.
But because neither Home Depot nor Voltage are commenting on the solution to the breach or the manner in which it came about, other retailers won't be able to benefit directly from their experience.