If the evidence proves to be valid, the Home Depot hack could top the record-setting breach of Target’s network last December.
So far, all roads point back to Home Depot. And if the evidence uncovered so far proves to be valid, the hack could top the record-setting breach of Target’s network last December.
Investigators are searching for what they call “a common point of purchase” among the cards.
Bank employees are able to identify stolen cards simply by examining the first six digits of the card, which are known as the Bank Identification Number, or BIN number. They are buying back card numbers and cross-referencing the transactions of those cards in search of one common retailer.
Fraud detectives, meanwhile, who do not have access to transaction data, are able to exploit a recent innovation in the underground. In the last few years, carding sites have been selling the city, state and ZIP code of the store from which each card was stolen in addition to the account number and expiration date, said Ron Sadowski, the director of technology solutions at RSA, the security division of EMC.
Hackers can charge a higher price for that location data because it allows criminals and counterfeiters to fool fraud-detection controls, which often flag purchases from far-flung places, Mr. Sadowski said. Investigators will try to match those ZIP codes to a list of store locations for a particular retailer.
On Wednesday, Brian Krebs, the security blogger who first reported the potential breach of Home Depot, said that there was a 99.4 percent overlap between ZIP codes listed in a collection of stolen account numbers on an Eastern European carding site, called Rescator, and Home Depot’s store locations.
Mr. Krebs said that out of 1,822 ZIP codes listed in the stolen card data on the Rescator carding site, only 10 did not correspond to a Home Depot store location.
That means the breach could affect most of the retailer’s 2,200 stores, which is about 400 more than the Target breach.
Mr. Krebs, citing bank sources, said fraudulent activity indicated that the breach on Home Depot began as early as late April. If that is confirmed, criminals would have had unfettered access to Home Depot’s payment systems for some four months. By comparison, Target’s breach was detected after three weeks.
Home Depot, based in Atlanta, has not confirmed that it was the victim of a cyberattack, only that it was investigating “unusual activity.”
Paula Drake, a spokeswoman for Home Depot, said the company’s forensics and security teams “have been working around the clock since we first became aware of a potential breach Tuesday morning.” Ms. Drake said Home Depot had engaged Symantec and FishNet Security, two cybersecurity firms, to look into a possible breach.
If a breach is confirmed, Ms. Drake reminded customers that they would not be responsible for fraudulent charges and said Home Depot would offer free identity protection services, such as free credit monitoring.
Retailers are not the only businesses being targeted by hackers. Last week, JPMorgan Chase was the victim of a sophisticated breach that security experts say has affected as many as five financial institutions. The identity of the other institutions is still unclear.
“Underground criminals are going after all manner of businesses, large and small, that they think are vulnerable,” Mr. Sadowski said. “But the good news is there is more information than ever on how criminals are trying to perpetrate these attacks.”