Home Depot admits 53 million email addresses stolen in data breach

Home DepotHome Depot, the US home improvement retailer, has stated that approximately 53 million email addresses were stolen in addition to the 56 million credit and debit cards that were compromised in an attack earlier this year.

After weeks of investigation into the data breach, Home Depot has displayed its findings in a press release, which was published yesterday.

New revelations in the Home Depot data breach:

  • Criminals used a third-party vendor’s username and password to enter Home Depot’s network.
  • Hackers then acquired ‘elevated rights’, which allowed them to navigate Home Depot’s network and deploy custom-built malware on its payment systems.
  • The malware was designed to evade detection by antivirus software.
  • In addition to the payment card data, hackers were also able to obtain separate files that contained 53 million email addresses.
  • Home Depot has since deployed enhanced encryption of its payment data in 1,977 US stores, which required writing new software code and distributing nearly 85,000 new PIN pads to stores.

Although the files containing the 53 million email addresses did not contain passwords, payment card information, or any other sensitive personal information, Home Depot is warning customers to be on guard against phishing scams.

Phishing attacks try to acquire sensitive information like email addresses, passwords, and card details by masquerading as legitimate organisations. Individuals are duped into clicking on links in emails or entering their details on what they believe to be legitimate websites.

The Christmas and holiday season has long been known as a time when hackers are most active. Increased numbers of consumers shopping online and less vigilant employees at work mean Christmas is a prime time to attack. According to a survey conducted by Tufin Technologies at the Defcon hacker conference, 81% of hackers said they operated more vigorously when people were on their winter vacation, and 56% said that Christmas was the most appropriate period to hack corporate computers.

Conducting a penetration test is a relatively inexpensive, fast, and efficient means for organizations to identify any weaknesses in the security of their networks and systems.

IT Governance provides fixed-price CREST-accredited testing services that can be deployed by any organization looking for better protection.

To help organizations prepare for increased cyber threats during the Christmas period, we have a festive offer: book our Combined Infrastructure and Web Application Penetration Test – Level 1 and we will carry out an email phishing campaign to test staff awareness free of charge.