More Bad News surrounding Home Depot Data Breach

Los Angeles, CAThe data breach nightmare that hit retail giant Home Depot last year is continuing to have repercussions for both the retailer and the millions of North Americans who fell victim to the massive hack simply for being a customer. Many a data breach lawsuit has come forward as a result of the compromised information.

Now comes word that up to 53 million e-mail addresses in the Home Depot system for both US and Canadian customers were likely a part of the hack. While Home Depot suggested that hacked files containing the e-mail addresses did not carry passwords, debit or credit card information, or other sensitive data, this latest twist on the data breach prompted Home Depot officials on November 6 to issue a warning to consumers to be on guard for phishing campaigns, spam and other unwanted e-mails.

E-mail addresses are a favored target, as lists can be sold as a valued commodity in the underground economy. Many Americans have felt the sting of innocently submitting an e-mail address in order to qualify for a contest or free product campaign, only to find they are soon inundated with unwanted e-mails from unknown sources. Most consumers are extremely careful about to whom they submit e-mail addresses. Retailers customarily ask for e-mail addresses in order to send newsletters or to validate an account. Consumers are led to assume such information is protected and secure.

In the case of the Home Depot data breach, it was not. In a statement issued November 6, Home Depot said that “customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.”

The Home Depot data breach is similar in tone to the breach affecting the Target chain last year. Both retailers hold that information systems were aptly protected according to the threats of the day. In the case of Home Depot, IT investigators found evidence of malware not seen in previous hacks when they investigated on September 2, following reports of a possible hack.

The malware, reportedly designed to avoid detection from modern antivirus software, is presumed to have been infiltrating through the Home Depot data systems since last April.

According to various data breach reports, the as-yet unnamed hackers cracked the Home Depot data systems utilizing a username and password lifted from a third-party vendor. Once in the system and armed with the third-party access protocol, the hacker(s) are reported to have acquired so-called “elevated rights,” which allowed a deeper peek into data systems, through the deployment of custom-built malware through Home Depot systems in both the US and Canada.

Home Depot has reportedly since removed the malware successfully from its systems in both the US and Canada, together with new and updated encryption protocols that have been vetted as secure by two independent IT security firms.

That’s cold comfort for the millions of Home Depot customers who may have had their e-mails and other sensitive data stolen. It is presumed that Home Depot - and Target - will be facing data breach lawsuits for some time…