Home Depot confirmed in September that its payment systems were breached by hackers, but those hackers walked away with more than just payment data. The company recently revealed the findings of an internal research report, which also included third-party IT experts, and said that the hackers also gained access to more than 53 million personal e-mail accounts that were stolen during the attack. Home Depot also explained how the scheme happened.
“Criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network,” the firm said. “These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.” The hackers used malware that was able to skirt around antivirus software used on the firm’s corporate networks.
Home Depot again admitted that while some payment card data was also obtained, none of the files included “passwords, payment card information [such as PINs] or other sensitive personal information.”
In an effort to thwart future attacks, Home Depot is rolling out enhanced encryption from Voltage Security around its stores that scrambles the raw payment card data, it said, and it’s also speeding up the deployment of chip-and-PIN systems, which are already in Canadian stores. Home Depot isn’t the only firm that was attacked recently; its breach follows similar attacks on Target, Neiman Marcus and, most recently, Staples.