At least 233,000 N.H. cards compromised in Home Depot data breach

NHBR analysis shows average of 11,600 cards compromised at each of 20 Granite State Home Depots
Bob Sanders,
Rob Wilson/Shutterstock

Tens of thousands of shoppers who since April have shopped at New Hampshire Home Depot stores to fix up their homes may have to repair their credit instead, thanks to a nationwide cybersecurity breach.

At last check, some 233,000 cards swiped at some 20 Home Depots in the Granite State were for sale on Rescator.cc, which is dubbed the Amazon of black market credit cards. How many other cards have already been sold, or will be sold, there or elsewhere, is anybody’s guess.

A sample of the latest batch of cards posted on the Rescator site shows they were being sold for a low of $8 to more than $40, depending on the age and the quality of the card, with about half of them selling for under $20.

No one knows who is behind the Rescator site. Rescator was embedded in malware used in last year’s data breach of the Target chain, and some speculate that it might have a Russian connection. Indeed, a warning on the site that its address may be changed is translated into Russian, Hebrew, French, Spanish, Italian and German.

While data from other breaches – including the Target breach – are still being sold on the same site, hacker expert Mark Lanterman, who runs Computer Forensic Services in Minnetonka, Minn., said that the cities listed in the latest data dumps match up perfectly with the location of Home Depot stores.

The number of those dumps has grown to 13 as of Sept. 19, and he expects more dumps to appear on the site in the future. He said he suspects that the breach is a result of malware embedded in software used to upgrade point-of-sale software.

“Why aren’t they shutting this site down? Easier said then done, but if they can’t get the bad guy, can’t they go after the bad guy helping the bad guy pulling off the crime?” asked Lanterman, referring to companies that give the site its domain name or those that enable secure payments.

But he said investigators may be letting the site continue so they can hack it themselves and go after those behind the site or its customers.

By specifying state and city of the individual stores, NHBR found that there were an average of 11,600 cards compromised at the 20 New Hampshire Home Depot stores, ranging from a high of 33,000 in Manchester to as few as 300 in North Hampton.

A similar analysis of the 11 stores in more rural Maine indicated slightly less than 100,000 breaches, or about 9,000 per store.

Lanterman tried the same approach for the Minneapolis-St. Paul area and stopped after coming up with about 80,000 unique cards for eight or nine stores.

A Sept. 8 New York Times article – based on sources involved in investigating the breach – said as many as 60 million cards may have been compromised at Home Depot.

The Target breach last year, before the Christmas holiday, involved some 40 million cards and lasted three weeks. The Home Depot breach, which the company discovered in September, dates back to April, according to a company statement issued Sept. 8, acknowledging and apologizing for the breach. Lanterman contended that the Home Depot number will end up be to be much larger than the Target breach, if only because Home Depot has more stores.

The retail giant, which had earnings of $5.8 billion last year, said it would roll out more secure payment machines by the end of the year, and it offered free credit services to affected customers.

Some banks are issuing new cards, while others will only do so if they see evidence of inappropriate purchases. Credit card companies will make consumers whole, and there is no evidence that PIN numbers off debit cards have been compromised. In Manchester, there were generally more debit cards then credit cards available.

Authorities warn consumers to be on the lookout for small test purchases that criminals engage in to see if the card is still working before selling it.

The big losers are other retailers who sell to those with a stolen credit card and generally swallow the losses. While the actual loss to credit card fraud constitutes 0.68 percent of an average retailer’s revenue, a survey conducted last month by LexisNexis indicated that for every dollar lost to fraud, merchants spend a further $3.08 to replace lost inventory and cover chargeback fees and other penalties.

Retailers do take a hit, said Nancy Kyle, head of the New Hampshire Retail Association, though sometimes the hit is shared with the bank.

“But ultimately much of this cost is passed on to the consumer,” she said.

And retailers aren’t the only ones vulnerable to attack, she said. Government agencies and municipalities have also reported breaches.

“Nobody is safe,” said Kyle. “If the government can’t protect its own data, it can happen everywhere.”

Categories: News, Restaurants, Retail & Tourism

More news from NHBR: