Home Depot announced yesterday that in addition to the 56 million credit card accounts that were compromised, hackers also gained access to 53 million customer email addresses in the April attack.
The company is warning customers that cyber-criminals can use email addresses to launch phishing attacks, in which they pose as official institutions or businesses and solicit your personal information. Never click on a link from an unverified source and don’t respond to emails asking for information such as bank login usernames and passwords, Social Security numbers or credit card accounts.
Home Depot, third-party security experts and law-enforcement agencies have been investigating the data breach for over two months, and have confirmed that hackers used the same invasion techniques leveraged in last Christmas’s Target attack.
The Wall Street Journal reports that cyber-criminals stole company login information from a third-party vendor, then jumping into the main internal system by taking advantage of a Microsoft vulnerability. The weakness was later patched, but hackers had already gained access to 7,500 self-checkout lanes. The company believes that the criminals overlooked the 70,000 other registers, because they were labeled with numbers and weren’t clearly marked as points of sale.
The hackers managed to stay in Home Depot’s system undetected for five months, mostly because they only operated during normal business hours and erased their tracks as they funneled away secure information.
Frank Blake, former Home Depot CEO, says that the company thought it was “well-positioned” to handle attacks, and had even begun a point of sale encryption upgrade that was completed in September.
However, he also told the press, “If we rewind the tape, our security systems could have been better. Data security just wasn’t high enough in our mission statement.”
Upgrade your point of sale and inventory system, so your company doesn’t get caught off guard and unsecured.