Home Depot: 56 Million Cards via Stolen HVAC Vendor Credentials
Attackers used credentials stolen from an HVAC vendor — the same attack vector as the Target breach six months earlier — to access Home Depot's point-of-sale network and install custom malware on 7,500 self-checkout terminals.
Background
Home Depot had ignored internal warnings about POS system vulnerabilities for months before the breach. The company was using Windows XP, which had reached end-of-life, on many of its POS terminals.
The Attack
Attackers obtained login credentials for a third-party vendor with remote access to Home Depot's network. They used those credentials to enter the network in April 2014 and conducted reconnaissance for four months before deploying a custom variant of BlackPOS malware to 7,500 self-checkout terminals in US and Canadian stores. The malware captured card data from the POS system's memory during the transaction swipe — a RAM scraping technique that bypassed card encryption at rest.
Response
Home Depot discovered the breach in September 2014 after banks noticed a pattern of fraudulent card use. The company removed the malware, replaced all POS terminals with chip-and-PIN enabled systems, and implemented end-to-end encryption. Home Depot accelerated an already-planned migration from Windows XP.
Outcome
The breach exposed 56 million unique payment card numbers and 53 million email addresses. Home Depot paid $179 million in settlements and spent over $232 million on remediation. The incident, following Target by six months, forced the retail industry to accelerate chip-and-PIN adoption in the US.
Key Takeaways
- Third-party vendor credentials are a favoured attack entry point — monitor and restrict their access
- End-of-life operating systems on POS terminals create unacceptable risk
- RAM scraping malware captures data before it can be encrypted at rest
- Chip-and-PIN (EMV) cards make stolen card data useless for in-person fraud