MADISON, Wis. (9/22/14)--Home improvement retailer Home Depot confirmed last week that the recent five-month data breach compromised 56 million credit and debit cards--second only behind the Heartland Payment Systems breach in 2009. But what does this mean to the average consumer?
First, look at how the information was taken. Using custom malware designed to evade traditional security tools, hackers breached the company's cash register systems in its U.S. and Canadian stores in April.
Brian Krebs, the security expert who first reported the breach Sept. 2, told NPR that it's that moment between the swipe of the card at the point-of-sale terminal and the encryption of the payment data on its way to the financial institution (Sept. 19). The malware sits at the cash register, essentially a Windows computer, and waits to siphon off the card information to the hackers, who sell the stolen card information on black-market websites, Krebs said.
Last week, Maine reported that bank names, expiration dates, names and addresses for 100,000 compromised cards were listed for sale (News Now Sept. 19). In Wisconsin, the Milwaukee Journal Sentinel found that the breach affected all 26 of the state's Home Depot stores, resulting in more than 282,000 compromised cards (Sept. 18). The combined black market asking price for the Wisconsin data--$8.16 million.
In confirming the number of affected cards, the Atlanta-based home improvement retailer also noted the malware used in the breach had been eliminated from its U.S. and Canadian networks.
The Credit Union National Association is urging credit unions to record the costs they are incurring because of the data breach. It will soon be sending credit unions a survey, similar to the one done after last year's Target breach, to collect the following information:
Number of debit and credit cards affected;
The Target breach survey found that credit unions incurred $30.6 million in costs directly related to the breach--not including fraud costs. The average cost per affected card was $5.68, and 4.6 million cards were compromised, the survey found.
During the Governmental Affairs Conference, credit union advocates were armed with state-specific numbers from the CUNA survey of how the Target breach affected them.
CUNA strongly advocates on behalf of legislation that would protect financial institutions and consumers from the harm such breaches cause by subjecting merchants to the same federal data protection standards to which credit unions and other financial institutions are already beholden.