It's been almost six months now since hackers first managed to breach Home Depot security in April, and started stealing its customers' confidential financial data.
The breach itself wasn't first discovered by independent security bloggers until Sept. 2, and not until Sept. 18 did Home Depot formally announce that yes, hackers had breached its security, and made off with 56 million debit- and credit-card numbers.
Home Depot also said that hackers did not steal anybody's personal identification numbers (PINs), which appears to be true yet might not matter since earlier reports suggested that, while the hackers didn't actually get anybody's PINs, they did get enough other data to change people's PINs without their knowledge.
Yet for all the time this security breach has existed, it appears that only now is the full financial damage starting to make itself felt.
The Wall Street Journal first reported yesterday that fraudulent transactions traceable to the breach were starting to surface, “rippling across fiancial institutions and, in some cases, draining cash from customer bank accounts.”
The customers who actually had money withdrawn from their accounts (as opposed to seeing fraudulent charges appear on their credit cards) presumably had this happen because the hackers were able to change their PINs by gaming the Voice Response Unit (VRU) banks use to deal with PIN changes; if you're worried your own bank account might be at risk, you might want to double-check your bank's PIN security measures against this hacking technque which security blogger Brian Krebs explained on Sept. 8.
In other news, related to the Home Depot breach, two credit unions (New York's Southern Chautauqua Federal Credit Union and Pennsylvania's First Choice Federal Credit Union) filed suit against Home Depot in Atlanta federal court last week, over financial damages the credit unions sustained as a result of Home Depot's data breach. An attorney says that the breach has already cost the financial industry “hundreds of millions” of dollars in damages.
The two credit unions are trying to have their lawsuit granted class action status. In Canada, an Ottawa man who says hackers charged $8,000 to his credit card after the breach is also suing Home Depot, and seeking similar class-action status for affected Canadians.