Thursday , March 28, 2024

Home Depot Hires Data-Security Firms As Other Merchants Contend With Breaches

 

Big box hardware retailer The Home Depot Inc. has hired two data-security firms to delve into its point-of-sale systems to determine the extent of a possible breach first reported on Tuesday.

Security site KrebsOnSecurity.com said then that several banks it contacted said they saw evidence that Home Depot stores might be the source of another credit and debit card breach.

Site reporter Brian Krebs followed up on Wednesday with an analysis of card data offered on online sites with Home Depot store locations by using ZIP codes to match the two.

The Home Depot has yet to confirm the breach, hence the hiring of Symantec Corp. and FishNet Security.

“Our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning, working with leading [information technology] security firms, including Symantec and FishNet Security, in that regard,” Home Depot says in a statement. “There is no higher priority for us at this time than to rapidly gather the facts so that we can provide answers to our customers. We know these types of incidents can cause frustration and concern and we apologize for that.”

It also notes if a breach is confirmed, consumers will not be responsible for fraudulent charges. “The financial institution that issued the card or Home Depot are responsible for those charges,” it says.

Also American Dairy Queen Corp. told the Christian Science Monitor last week that its POS system was riddled with a malware program known as Backoff. That is the same malware affecting Target Corp., Supervalu, and United Parcel Service.

Goodwill Industries International this week said about 10% of its more than 2,900 stores were affected by a breach of a third-party vendor’s systems between Feb. 10 and Aug. 14.

The sophistication and wide extent of the malware are troubling. “The number of data breaches we’ve seen in the United States is unprecedented,” says Shirley Inscoe, senior analyst at Boston-based Aite Group LLC. Indeed, according to Risk Based Security Inc., breaches involving U.S. entities accounted for 39.6% of all incidents and 74.3% of exposed records in the first six months of 2014.

Even so, the pace of breaches, as least the ones that become public, doesn’t appear to be desensitizing consumers to them, Inscoe says. “I don’t think they’re going to become desensitized, but instead increasingly feel helpless as if there’s nothing they can do about it,” Inscoe says. “Even if they’re just calling a bank to dispute a transaction, that’s a headache they shouldn’t put up with.”

Payments organizations, stretching from the retailer to processor to issuer, have to get more serious about ensuring retailers adhere to data-security standards, she says. The sophistication of the criminal activity means investigations often take longer than in the past. “In the interim, consumers wonder why they aren’t being told more,” Inscoe says.

That may contribute to the already lackluster opinion consumers have about payment security, she says. In a research report Inscoe published earlier this year, consumers widely professed little confidence in merchants’ ability to keep their data secure.

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions