There's more information available about the Home Depot database hacking reported earlier this week, and that news is about as bad as it gets.
Security blogger Brian Krebs, who first broke word of the security breach, reports that new evidence suggests the credit- and debit-card breach affected every Home Depot store in the United States.
There's no doubt that a great many stolen credit and debit card numbers have suddenly appeared for sale in underground crime stores; the only question is, where were these numbers first stolen from?
Data theft is much harder to detect than the theft of physical goods. If, for example, a thief broke into your house and stole your TV, this would be immediately obvious after even a casual glance: there's the shattered window or broken door lock where he entered the house, and the TV is gone.
Not much evidence
But when credit card numbers or other sensitive data is stolen from a database, there's no sign of forced entry, and the numbers don't actually go “missing;” usually, the first sign that anything's wrong doesn't come until either somebody discovers the information for sale in an underground crime store, or card-issuing companies start collecting an unusual number of fraudulent-charge complaints from their account holders.
At that point, the companies (possibly with assistance from the U.S. Secret Service) start doing detective work to figure out what all of these stolen cards have in common. If, for example, it turns out that every single card had been used to make a legitimate purchase at Home Depot within a certain time frame, with no other common point of purchase, then chances are the breach involved Home Depot's database somehow.
However, the detective work behind the Home Depot data breach focuses more on zip codes – or, more specifically, the underground crime store where these stolen accounts are for sale divvies them up according to the zip code of the store where they were stolen. Why is that? As Krebs explained:
The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).
Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.
Worse than Target
Based on the currently available information, it does appear that this Home Depot breach is much worse (in terms of the number of affected customers) than the Target breach.
As Krebs pointed out: the Target breach left customer data from about 1,800 stores exposed to thieves for roughly three weeks, whereas this Home Depot breach appears to involve customer data from 2,200 stores, starting last April or May and lasting all through the summer.