Backoff Malware Likely Cause of Suspected Home Depot Data Breach

NEWS ANALYSIS: If a data breach has actually occurred at Home Depot, which the company hasn't confirmed, it was likely caused by the Backoff malware, according to security experts.

Backoff Malware B

Security experts tell eWEEK that if an ongoing investigation confirms there has been a data breach at Home Depot, it was likely caused by the rapidly spreading Backoff malware.

So far, all the company is saying is it may have been attacked but that it is still investigating whether a data breach actually took place.

"We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate," the Home Depot officials said in a statement released to the media.

"We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately," the statement said.

The company also said that it would offer free identity protection services to any affected customers and that it would make an announcement once it determines whether a breach actually occurred. One security expert told eWEEK that apparently hackers have published lists of fresh credit card numbers lately, and that when those numbers were checked, they led to Home Depot.

But there's still a big leap from a potential breach tied to credit card numbers offered for sale and confirming that Home Depot has sustained a breach. In addition, Home Depot has already begun outfitting its point-of-sale terminals with chip and PIN readers, which means that at least some customers may not be at risk if the breach took place.

Security response teams at some of the card-issuing banks have already started buying back credit card numbers believed stolen in the suspected breach at Home Depot, according to John Zurawski, vice president of marketing for Authentify.

However, he said that much of the risk could be avoided if the credit cards supported two-factor authentication. One means of providing such authentication is by issuing cards with an EMV chip that require a PIN to make purchases.

Zurawski said that credit card companies can also implement a phone-based two factor authentication now to make sure that customers are aware of suspicious purchases using their smartphones or even their landline phones. Such an authentication process, which already exists at some card companies, happens when a consumer gets a phone call to confirm a purchase in progress.

The way this works is when a credit card, or a credit card number, is being presented for purchase, the customer receives a call asking whether they're really making such a purchase, and if they are to either confirm it verbally, or to press a number key on the phone. If the purchase can't be authenticated, then it's not approved.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...