Expert: Credit data stolen from every Home Depot

You probably don’t have to wonder whether your local Home Depot store was one of the ones where credit card information was stolen by, presumably, Russian hackers. It was, Brian Krebs, the online security expert says.

Krebs has checked out what credit card information is being sold online by the hackers and he finds that card information from virtually every Home Depot store in the country is included.

In all, there were 1,822 ZIP codes represented in the card data for sale on Rescator’s site, and 1,939 unique ZIPs corresponding to Home Depot store locations (while Home Depot says it has ~2,200 stores, it is safe to assume that some ZIP codes have more than one Home Depot store). Between those two lists of ZIP codes, there are 10 ZIP codes in Rescator’s card data that do not correspond to actual Home Depot stores.

Finally, there were 127 ZIP codes for Home Depot stores that were not in the list of ZIPs represented in Rescator’s card data. However, it’s important to note that the data pulled from Rescator’s site is almost certainly a tiny fraction of the cards that his shop will put up for sale in the coming days and weeks.

What does all this mean? Well, assuming Home Depot does confirm a breach, it could give us one way to determine the likely size of this breach. The banks I spoke with in reporting this story say the data they’re looking at suggests that the breach probably started in late April or early May.

To put that in perspective, the Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers. If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target.

Krebs recommends the usual action by consumers: Monitor your accounts for unusual activity and don’t depend on banks to alert you of fraudulent activity. Because the stolen credit card numbers come from so many different zip codes, purchases may not look particularly unusual to the banks and credit card companies.

The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).

Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.

Related: Home Depot Tries to Reassure Customers About Possible Data Breach (WSJ).

I Feel Nothing: The Home Depot Hack And Data Breach Fatigue (NPR’s All Tech Considered).

  • John Peschken

    I just came back from a trip through 5 Canadian provinces. The store clerks and gas pumps there were all confused/irritated/surprised by my mag strip card. If cards with chips would help, why can’t we ask our exalted “Job Creators” to do what they seem to have done all over Canada? I suppose we would get another lecture about how it will cost jobs and raise prices. The best we can hope for is that this eventually costs banks so much they are inspired to get the changeover done in less than 10 years.

    • Allison

      Visa and MasterCard are actually switching liablity to merchants who are not EMV (chips) compliant October 2015 for fraud committed with counterfeit cards, which is what generally happens with the information stolen at brick-and-mortar merchants. (Currently, banks are liable for any fraud on counterfeit cards.) Most banks are either in the process of switching to EMV cards, or at the least, planning when they will be switching.

    • Jack

      Ah yes – the American trip to Canada. We were there in July and we immediately pegged as Americans since we didn’t have the “chip and pin” version of the credit card.

      No debit card for me, it’s cash or credit. I do however feel sorry for those deemed not to be yet credit-worthy who have to rely upon a debit card.

  • John O.

    So if guys like Krebs know who has this data, and they are Russians, why aren’t we trying to convince Putin and his thugs to do something about it? Oh wait…..

  • Gary F

    I’ve already made the switch to not to use the debit card and use credit card only. The legal protections of credit cards are better than debit cards.

    I get a mailing every month or so from Lifelock. This time I didn’t toss it. I think I’m going to look into a service like this.

    • Dave S.

      Consumer Reports basically said those services aren’t worth the money. Check it out for yourself.

    • Dave

      The CEO of Lifelock got hacked once.

      • Dave S.

        In fairness, I believe the point of those services is not to prevent your getting hacked, but to help alert and protect you in the event you DO get hacked.