In a quickly developing story, it appears that Home Depot has suffered a data breach that dwarfs the one suffered by Target last year. Early this morning, credit card information collected from what seems to be 2,400+ Home Depot stores around the world, was sold online by Eastern European hackers. The stolen information was sold on the underground store Rescator, which leads to suspicious that the same group of Russian and Ukrainian hackers that have previously infiltrated Target, Sally Beauty, and P.F. Chang's. The group is likely different from W0rm, a separate Russian hacker group. The revelation comes from Brian Krebs from famous security blog Krebsonsecurity. The last major credit and debit card data heist from a large retail chain late last year to Target. That particular heist was also reported by Krebs.
In a prepared statement sent to Krebs, Home Depot spokeswoman Paula Drake confirmed that Home Depot was aware of the potential breach:
I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has a occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.
Home Depot Is A Bigger Target
Target has some 1,800 stores around America; Home Depot has ~2,200 stores within American and 200 plus outside of America. The Target data breach resulted in 40 million credit and debit cards' information being stolen alongside 70 million personal records which included names, emails, physical addresses, and phone numbers. All in all, the drove of breached data was skimmed over the course of less than twenty days. Krebs claims that several banks contacted by the site claim that the breach may have started as early as late April or early May 2014. At this point, there's been no official word on how much sensitive information was stolen from Home Depot; however, everyone should be prepared for a very, very large number.
Bitcoin Users Are Safe From This Type of Data Breach
The Target data breach was a result of malware that was successfully implemented in Target's security and payments system. Once customers swiped their cards for their scanned and bagged items, the malware would proceed to store the valuable information on a Target server that happened to be under the control of the hackers. This style of attack, likely emulated at Home Depot, only works on payments where all the necessary pieces of information to initiate a value transfer are entrusted to the other party. More simply put, credit cards and debit cards are "pull" transactions. Bitcoin payments, like cash payments, are "push" transactions. As most Bitcoin enthusiasts will remind you over and over again, sending a Bitcoin transaction between two parties is a trustless exercise. Sure, the particular Bitcoin address that you use will forever be stored on the blockchain; however, your private key is never revealed during the course of proper Bitcoin use. In fact, private keys can be stored offline and still be used to sign valid online transactions, an added layer of security that is simply impossible with cards. If you're still wondering about push versus pull transactions, check out Richard Gendal Brown's blog post on the matter.