Home Depot Card Heist May Be Bigger Than Target's
Home Depot has yet to confirm that its United States stores were hit by massive theft of customer credit- and debit-cards, but evidence is increasing. Some security experts fear the rumored Home Depot data breach might be larger than Target's last year, which affected 40 million payment cards and 70 million personal accounts.
Even if Home Depot isn't the source of the stolen cards, an enormous trove of American credit- and debit-card numbers have recently appeared on clandestine black market websites. Due to where and how the numbers are being sold, the thieves behind this card "dump" may be the same group responsible for the Target data breach.
MORE: How to Survive a Data Breach
As of this morning (Sept. 4) Home Depot has yet to officially confirm a compromise related to its payment systems.
"We're looking into some unusual activity that might indicate a possible payment data breach," a post on Home Depot's corporate site reads.
The stolen card data currently on sale on a black-market "carder" website called Rescator shows signs of originating at Home Depot stores, according to independent security reporter Brian Krebs, who broke the story on his blog earlier this week.
The stolen accounts being sold on Rescator can be sorted by ZIP code, which makes each stolen card easier to use for fraud since banks often won't flag a local transaction. Krebs compared those ZIP codes with the ZIP codes of Home Depot's 2,200 U.S. locations -- and found a 99.4 percent match.
The Rescator dump, of which Krebs only viewed a small slice, also indicates how large the breach might be. Bank sources Krebs spoke with told him the breach probably began in late April or early May of this year and continued until very recently -- about four months in total.
By comparison, the Target breach affected just under 1,800 Target stores over a period of about three weeks, resulting in 40 million stolen debit and credit cards.
"If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target," Krebs wrote on his blog.
Rescator was also the primary selling point for card data stolen from Target, Krebs noted, and the site on which more recent dumps from Sally Beauty, PF Chang's and Harbor Freight have been sold. It's possible the same group, or linked groups, of carders may be behind each theft.
What can you do?
If you believe your credit- or debit-card data may have been stolen, you should keep a close eye on your financial accounts for any signs of fraudulent activity. (Home Depot said that if it determines a breach did occur, it will offer free identity-protection services, such as credit monitoring, to all affected customers.)
You might also contact one of the three major credit-reporting agencies, Experian, Equifax and TransUnion. Ask them to put a credit alert, which is free and lasts 90 days, on your file. You can get one free credit report from each agency per year to check for any identity fraud.
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.
Copyright 2014 Toms Guides , a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
