Home Depot hackers used vendor log-on to steal data, emails

Hackers used a vendor’s stolen log-on credentials to penetrate Home Depot’s computer network and install custom-built malware that stole customer payment-card data and e-mail addresses, the retailer announced Thursday. The malware, Malware
which had not been seen in other data thefts, was installed on self-checkout registers that were hacked. The malware was designed to evade antivirus software and has since been eliminated, Home Depot officials said. The company had announced in September that the massive data breach allowed criminals to harvest information from 56 million credit and debit cards in the United States and Canada.


HD ImageHome Deport said the e-mail addresses did not contain passwords, payment card information or other sensitive personal information. The company is notifyingaffectedcustomers and offering credit monitoring, though it said, “In all likelihood this will not impact you.”

Customers were warned to be alert for so-called phishing scams that try to dupe people into revealing personal information or clicking on links that may install malware on their computers. It reiterated common tips to guard against identity theft.

The breach, which has cost $62 million, began in April and went undetected for several months. Home Depot is offering customers free identity-protection services, including a year of credit monitoring.

“We apologize for the frustration and anxiety this causes our customers and we thank you for your patience and support as we work through this issue,’ the company toldcustomers.

Some shoppers — those with Home Depot Project Loan cards — have received a $50 store gift card to “show our appreciation for being a loyal customer.” The company did not mention the gift cards in its public statements Thursday.

The company said personal data that may have been compromised included customers’ name, credit card number, expiration date, cardholder “verification value” and “service code.” The verification value is not the three- or four-digit security code on a card.

Home Deport added that “at this time” it does not believe check payments were affected, and that “while we continue to determine the full scope, scale and impact

of the breach,” there was no evidence that PIN numbers were compromised.

In January, Target announced that hackers who also used a vendor’s sign-in credentials to install malicious software and steal data on 40 million credit and debit cards, in addition to personal data for up to 70 million customers, including e-mail addresses.

Some of the malware code was in Russian.